Вы находитесь на странице: 1из 928

Palo Alto Networks

PAN-OS Administrators Guide


Version 7.0

Contact Information
Corporate Headquarters:

Palo Alto Networks


4401 Great America Parkway
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-us

About this Guide


This guide takes you through the configuration and maintenance of your Palo Alto Networks next-generation firewall.
For additional information, refer to the following resources:

For information on the additional capabilities and for instructions on configuring the features on the firewall, refer
to https://www.paloaltonetworks.com/documentation.

For access to the knowledge base, complete documentation set, discussion forums, and videos, refer to
https://live.paloaltonetworks.com.

For contacting support, for information on the support programs, or to manage your account or devices, refer to
https://support.paloaltonetworks.com.

For the latest release notes, go to the software downloads page at


https://support.paloaltonetworks.com/Updates/SoftwareUpdates.

To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com.

Palo Alto Networks, Inc.


www.paloaltonetworks.com
20072015 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be
found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their
respective companies.
Revision Date: December 23, 2015

2 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Table of Contents
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Integrate the Firewall into Your Management Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Determine Your Management Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Perform Initial Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Set Up Network Access for External Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Register the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Activate Licenses and Subscriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Manage Content Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Install Software Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Create the Security Perimeter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Basic Interface Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
About Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Plan the Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Configure Interfaces and Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Set Up Basic Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Enable Basic Threat Prevention Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Enable WildFire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Scan Traffic for Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Control Access to Web Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Best Practices for Completing the Firewall Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Device Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61


Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Use the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Use the Command Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Use the XML API. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Manage Firewall Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Administrative Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Administrative Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Configure Administrative Accounts and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Configure an Administrative Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Configure Kerberos SSO and External or Local Authentication for Administrators . . . . . . . . . . . . . . 79
Configure Certificate-Based Administrator Authentication to the Web Interface . . . . . . . . . . . . . . . . 81
Configure SSH Key-Based Administrator Authentication to the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Configure RADIUS Vendor-Specific Attributes for Administrator Authentication. . . . . . . . . . . . . . . 83
Reference: Web Interface Administrator Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Web Interface Access Privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Panorama Web Interface Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Reference: Port Numbers Used by Palo Alto Networks Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Ports Used for Management Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Ports Used for HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Ports Used for Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Ports Used for User-ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Reset the Firewall to Factory Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 3

Table of Contents

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Configure Kerberos Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Configure External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure Authentication Server Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure a RADIUS Server Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS Vendor-Specific Attributes for Palo Alto Networks Devices . . . . . . . . . . . . . . . . . . . . . . .
Configure a TACACS+ Server Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure an LDAP Server Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure a Kerberos Server Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CHAP and PAP Authentication for RADIUS and TACACS+ Servers . . . . . . . . . . . . . . . . . . . . . . .
Configure an Authentication Profile and Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable External Authentication for Users and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

137
138
139
140
141
142
143
144
145
148

Test Authentication Server Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


Run the Test Authentication Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Local Database Authentication Profile Use Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS Authentication Profile Use Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TACACS+ Authentication Profile Use Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
LDAP Authentication Profile Use Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Kerberos Authentication Profile Use Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

149
150
151
152
154
157
159

Troubleshoot Authentication Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Certificate Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163


Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Certificate Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Certificate Revocation List (CRL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Open Certificate Status Protocol (OCSP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Certificate Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Set Up Verification for Certificate Revocation Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure an OCSP Responder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure Revocation Status Verification of Certificates Used for User/Device Authentication. . .
Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption . . . . . . . .

169
169
170
170

Configure the Master Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172


Obtain Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a Self-Signed Root CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Generate a Certificate on the Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Import a Certificate and Private Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Obtain a Certificate from an External CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

173
174
175
177
178

Export a Certificate and Private Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180


Configure a Certificate Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Configure an SSL/TLS Service Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Configure the Key Size for SSL Forward Proxy Server Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Revoke and Renew Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Revoke a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Renew a Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

4 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Table of Contents

Secure Keys with a Hardware Security Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186


Set up Connectivity with an HSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Encrypt a Master Key Using an HSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Store Private Keys on an HSM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Manage the HSM Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197


HA Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
HA Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
HA Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
HA Links and Backup Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Device Priority and Preemption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Failover Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
HA Timers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Set Up Active/Passive HA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Prerequisites for Active/Passive HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Configuration Guidelines for Active/Passive HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Configure Active/Passive HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Define HA Failover Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Verify Failover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
HA Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219
Use the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Use the Application Command Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
ACCFirst Look . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
ACC Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
ACC Widgets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Widget Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
ACC Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Interact with the ACC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Use Case: ACCPath of Information Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
App Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Summary Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Change Monitor Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Threat Monitor Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Threat Map Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Network Monitor Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Traffic Map Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Use the Automated Correlation Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Automated Correlation Engine Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
View the Correlated Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Interpret Correlated Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Use the Compromised Hosts Widget in the ACC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 5

Table of Contents

Take Packet Captures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


Disable Hardware Offload. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Take a Custom Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Take a Threat Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Take an Application Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

257
258
258
263
264

Monitor Applications and Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270


Monitor and Manage Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
View the Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Filter Log Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure Log Storage Quotas and Expiration Periods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Log Severity Levels and WildFire Verdicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Schedule Log Exports to an SCP or FTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

271
272
275
276
277
279

Manage Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Report Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
View Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure the Report Expiration Period. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disable Predefined Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Generate Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Generate Botnet Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage PDF Summary Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Generate User/Group Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage Report Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Schedule Reports for Email Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

280
281
282
283
284
285
291
294
296
298
299

Use External Services for Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300


Configure Log Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Configure Email Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Use Syslog for Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Configure Syslog Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Syslog Field Descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
SNMP Monitoring and Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMP for Palo Alto Networks Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use an SNMP Manager to Explore MIBs and Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable SNMP Services for Firewall-Secured Network Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Monitor Device Statistics Using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Forward Traps to an SNMP Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Supported MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

323
324
326
330
331
334
336

NetFlow Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344


Configure NetFlow Exports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
NetFlow Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors . . . . . . . . . . . . . . . . . . . . . . . . 349

User-ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
User-ID Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
User-ID Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Group Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
User Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

6 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Table of Contents

Enable User-ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359


Map Users to Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Map IP Addresses to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Configure User Mapping Using the Windows User-ID Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Configure User Mapping Using the PAN-OS Integrated User-ID Agent. . . . . . . . . . . . . . . . . . . . . . 370
Configure User-ID to Receive User Mappings from a Syslog Sender . . . . . . . . . . . . . . . . . . . . . . . . . 373
Map IP Addresses to Usernames Using Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Configure User Mapping for Terminal Server Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Send User Mappings to User-ID Using the XML API. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Configure a Firewall to Share User Mapping Data with Other Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Enable User- and Group-Based Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Enable Policy for Users with Multiple Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Verify the User-ID Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Deploy User-ID in a Large-Scale Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Windows Log Forwarding and Global Catalog Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Plan Your User-ID Implementation for a Large-Scale Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Configure Windows Log Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Configure User-ID for a Large-Scale Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

App-ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415
App-ID Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Manage Custom or Unknown Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Manage New App-IDs Introduced in Content Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Review New App-IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Review New App-IDs Since Last Content Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Review New App-ID Impact on Existing Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Disable or Enable App-IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Prepare Policy Updates For Pending App-IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Use Application Objects in Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Create an Application Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Create an Application Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Create a Custom Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Applications with Implicit Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Application Level Gateways. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Disable the SIP Application-level Gateway (ALG). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

Threat Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439


Set Up Security Profiles and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Set Up Antivirus, Anti-Spyware, and Vulnerability Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Set Up Data Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Set Up File Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Prevent Brute Force Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Brute Force Attack Signatures and Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Customize the Action and Trigger Conditions for a Brute Force Signature . . . . . . . . . . . . . . . . . . . . 453

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 7

Table of Contents

Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions . . . . . . . . . . . . . . . . . . . . 456
Enable Passive DNS Collection for Improved Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Use DNS Queries to Identify Infected Hosts on the Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DNS Sinkholing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure DNS Sinkholing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Identify Infected Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

459
460
461
465

Content Delivery Network Infrastructure for Dynamic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467


Threat Prevention Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Decryption Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Decryption Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Keys and Certificates for Decryption Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSL Forward Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSL Inbound Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSH Proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Decryption Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Decryption Mirroring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

473
474
476
478
479
480
481

Configure SSL Forward Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482


Configure SSL Inbound Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Configure SSH Proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Configure Decryption Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Exclude Traffic from Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Exclude a Server from Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Enable Users to Opt Out of SSL Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Configure Decryption Port Mirroring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Temporarily Disable SSL Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

URL Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497


URL Filtering Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
URL Filtering Vendors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Interaction Between App-ID and URL Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAN-DB Private Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

498
499
500
501

URL Filtering Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


URL Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
URL Filtering Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
URL Filtering Profile Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Block and Allow Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Safe Search Enforcement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Container Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HTTP Header Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
URL Filtering Response Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
URL Category as Policy Match Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

503
504
505
506
507
508
510
511
512
514

8 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Table of Contents

PAN-DB Categorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515


PAN-DB URL Categorization Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
PAN-DB URL Categorization Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Enable a URL Filtering Vendor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Enable PAN-DB URL Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Enable BrightCloud URL Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Determine URL Filtering Policy Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Monitor Web Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Monitor Web Activity of Network Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
View the User Activity Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Configure Custom URL Filtering Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Configure URL Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Customize the URL Filtering Response Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Configure URL Admin Override. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Enable Safe Search Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
Block Search Results that are not Using Strict Safe Search Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 536
Enable Transparent Safe Search Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Set Up the PAN-DB Private Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
URL Filtering Use Case Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
Use Case: Control Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Use Case: Use URL Categories for Policy Matching. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
Troubleshoot URL Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
Problems Activating PAN-DB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
PAN-DB Cloud Connectivity Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
URLs Classified as Not-Resolved . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Incorrect Categorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
URL Database Out of Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560

Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .561


QoS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
QoS Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
QoS for Applications and Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
QoS Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
QoS Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
QoS Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
QoS Egress Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
QoS Clear Text and Tunneled Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
Configure QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
Configure QoS for a Virtual System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Enforce QoS Based on DSCP Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
QoS Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
Use Case: QoS for a Single User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
Use Case: QoS for Voice and Video Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 9

Table of Contents

VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
VPN Deployments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
Site-to-Site VPN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Site-to-Site VPN Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IKE Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tunnel Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tunnel Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Internet Key Exchange (IKE) for VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IKEv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

596
596
596
597
597
600

Set Up Site-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


Set Up an IKE Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Define Cryptographic Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set Up an IPSec Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set Up Tunnel Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable/Disable, Refresh or Restart an IKE Gateway or IPSec Tunnel . . . . . . . . . . . . . . . . . . . . . . .
Test VPN Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Interpret VPN Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

604
605
612
615
619
620
622
623

Site-to-Site VPN Quick Configs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


Site-to-Site VPN with Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Site-to-Site VPN with OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Site-to-Site VPN with Static and Dynamic Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

624
625
630
636

Large Scale VPN (LSVPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643


LSVPN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Create Interfaces and Zones for the LSVPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
Enable SSL Between GlobalProtect LSVPN Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
About Certificate Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Deploy Server Certificates to the GlobalProtect LSVPN Components . . . . . . . . . . . . . . . . . . . . . . . 647
Configure the Portal to Authenticate Satellites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Configure GlobalProtect Gateways for LSVPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Prerequisite Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Configure the Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Configure the GlobalProtect Portal for LSVPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Prerequisite Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure the Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Define the Satellite Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

656
656
656
657

Prepare the Satellite Device to Join the LSVPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660


Verify the LSVPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
LSVPN Quick Configs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664
Basic LSVPN Configuration with Static Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665
Advanced LSVPN Configuration with Dynamic Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669

10 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Table of Contents

Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .673
Interface Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
Virtual Wire Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
Layer 2 Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
Layer 3 Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
Tap Mode Deployments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678
Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679
Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681
RIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
OSPF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685
OSPF Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685
Configure OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688
Configure OSPFv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693
Configure OSPF Graceful Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
Confirm OSPF Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
BGP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
Session Settings and Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
Transport Layer Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706
TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
UDP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712
Configure Session Timeouts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713
Configure Session Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
Prevent TCP Split Handshake Session Establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717
DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718
DHCP Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719
DHCP Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720
DHCP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
Firewall as a DHCP Server and Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726
Configure an Interface as a DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727
Configure an Interface as a DHCP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732
Configure an Interface as a DHCP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734
Monitor and Troubleshoot DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735
NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737
NAT Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738
Source NAT and Destination NAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741
NAT Rule Capacities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743
Dynamic IP and Port NAT Oversubscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 744
Dataplane NAT Memory Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746
Configure NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747
NAT Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
NPTv6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
NPTv6 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766
How NPTv6 Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768
NDP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
NPTv6 and NDP Proxy Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772
Create an NPTv6 Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 11

Table of Contents

LACP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776
LACP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776
Configure LACP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779
ECMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ECMP Load-Balancing Algorithms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ECMP Platform, Interface, and IP Routing Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HA Active/Active Failover Behavior with ECMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure ECMP on a Virtual Router. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable ECMP for Multiple BGP Autonomous Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Verify ECMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

782
783
785
786
787
789
791

LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
LLDP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Supported TLVs in LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
LLDP Syslog Messages and SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure LLDP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
View LLDP Settings and Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Clear LLDP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

792
793
794
796
797
799
802

Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803
Policy Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804
Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805
Components of a Security Policy Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
Security Policy Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809
Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
Security Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Antivirus Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Anti-Spyware Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Vulnerability Protection Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
URL Filtering Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Filtering Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
File Blocking Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
WildFire Analysis Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DoS Protection Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Zone Protection Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security Profile Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

811
812
813
814
815
816
818
819
820
821
822

Enumeration of Rules Within a Rulebase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 826


Move or Clone a Policy Rule or Object to a Different Virtual System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 828
Use Tags to Group and Visually Distinguish Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create and Apply Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Modify Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use the Tag Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

829
830
831
832

Use a Dynamic Block List in Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


View the IP Address Limit For Your Firewall Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Formatting Guidelines for Dynamic Block Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enforce Policy with a Dynamic Block List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
View the List of IP addresses in the Dynamic Block List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Retrieve a Dynamic Block List from Web Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

836
836
837
837
838
839

12 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Table of Contents

Register IP Addresses and Tags Dynamically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840


Monitor Changes in the Virtual Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841
Enable VM Monitoring to Track Changes on the Virtual Network . . . . . . . . . . . . . . . . . . . . . . . . . . 842
Attributes Monitored in the AWS and VMware Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845
Use Dynamic Address Groups in Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 846
CLI Commands for Dynamic IP Addresses and Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849
Identify Users Connected through a Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
Use XFF Values for Policies and Logging Source Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
Add XFF Values to URL Filtering Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852
Policy-Based Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 853
PBF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854
Create a Policy-Based Forwarding Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 856
Use Case: PBF for Outbound Access with Dual ISPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 858
DoS Protection Against Flooding of New Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866
DoS Protection Against Flooding of New Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867
Configure DoS Protection Against Flooding of New Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 871
Use the CLI to End a Single Attacking Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 874

Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .875


Virtual Systems Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 876
Virtual System Components and Segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 876
Benefits of Virtual Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 877
Use Cases for Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 877
Platform Support and Licensing for Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 878
Administrative Roles for Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 878
Shared Objects for Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 878
Communication Between Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 879
Inter-VSYS Traffic That Must Leave the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 880
Inter-VSYS Traffic That Remains Within the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881
Inter-VSYS Communication Uses Two Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884
Shared Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885
External Zones and Shared Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885
Networking Considerations for a Shared Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886
Service Routes for Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 887
Use Cases for Service Routes for a Virtual System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 888
PA-7000 Series Firewall LPC Support for Per-Virtual System Paths to Logging Servers. . . . . . . . . . 889
DNS Proxy Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890
DNS Server Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 891
Multi-Tenant DNS Deployments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 892
Configure Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 893
Configure Inter-Virtual System Communication within the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896
Configure a Shared Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 897

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 13

Table of Contents

Customize Service Routes for a Virtual System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


Customize Service Routes to Services for Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure a PA-7000 Series Firewall for Logging Per Virtual System . . . . . . . . . . . . . . . . . . . . . . . .
Configure a DNS Proxy Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure a DNS Server Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure Administrative Access Per Virtual System or Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

898
898
900
901
902
904

DNS ResolutionThree Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 906


Use Case 1: Firewall Requires DNS Resolution for Management Purposes. . . . . . . . . . . . . . . . . . . . 906
Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting,
and Services within its Virtual System909
Use Case 3: Firewall Acts as DNS Proxy Between Client and Server . . . . . . . . . . . . . . . . . . . . . . . . . 913
Virtual System Functionality with Other Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 915

Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917
Enable FIPS and Common Criteria Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 918
CCEAL4 Security Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 919

14 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Getting Started
The following topics provide detailed steps to help you deploy a new Palo Alto Networks next-generation
firewall. They provide details for integrating a new firewall into your network and configuring basic security
policies and threat prevention features.
After you perform the basic configuration steps required to integrate the firewall into your network, you can use
the rest of the topics in this guide to help you deploy the comprehensive enterprise security platform features
as necessary to address your network security needs.

Integrate the Firewall into Your Management Network

Create the Security Perimeter

Enable Basic Threat Prevention Features

Best Practices for Completing the Firewall Deployment

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 15

Integrate the Firewall into Your Management Network

Getting Started

Integrate the Firewall into Your Management Network


All Palo Alto Networks firewalls provide an out-of-band management port (MGT) that you can use to perform
the firewall administration functions. By using the MGT port, you separate the management functions of the
firewall from the data processing functions, safeguarding access to the firewall and enhancing performance.
When using the web interface, you must perform all initial configuration tasks from the MGT port even if you
plan to use an in-band port for managing your device going forward.
Some management tasks, such as retrieving licenses and updating the threat and application signatures on the
firewall require access to the Internet. If you do not want to enable external access to your MGT port, you will
need to either set up a data port to provide access to required external services or plan to manually upload
updates regularly.
The following topics describe how to perform the initial configuration steps that are necessary to integrate a
new firewall into the management network and deploy it in a basic security configuration.

Determine Your Management Strategy

Perform Initial Configuration

Set Up Network Access for External Services

Register the Firewall

Activate Licenses and Subscriptions

Manage Content Updates

Install Software Updates


The following topics describe how to integrate a single Palo Alto Networks next-generation
firewall into your network. However, for redundancy, consider deploying a pair of firewalls in a
High Availability configuration.

16 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Getting Started

Integrate the Firewall into Your Management Network

Determine Your Management Strategy


The Palo Alto Networks firewall can be configured and managed locally or it can be managed centrally using
Panorama, the Palo Alto Networks centralized security management system. If you have six or more firewalls
deployed in your network, use Panorama to achieve the following benefits:

Reduce the complexity and administrative overhead in managing configuration, policies, software and
dynamic content updates. Using device groups and templates on Panorama, you can effectively manage
device specific configuration locally on a device and enforce shared policies across all devices or device
groups.

Aggregate data from all managed firewalls and gain visibility across all the traffic on your network. The
Application Command Center (ACC) on Panorama provides a single glass pane for unified reporting across
all the firewalls, allowing you to centrally analyze, investigate and report on network traffic, security incidents
and administrative modifications.

The procedures that follow describe how to manage the firewall using the local web interface. If you want to
use Panorama for centralized management, first Perform Initial Configuration and verify that the firewall can
establish a connection to Panorama. From that point on you can use Panorama to configure your firewall
centrally.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 17

Integrate the Firewall into Your Management Network

Getting Started

Perform Initial Configuration


By default, the firewall has an IP address of 192.168.1.1 and a username/password of admin/admin. For security
reasons, you must change these settings before continuing with other firewall configuration tasks. You must
perform these initial configuration tasks either from the MGT interface, even if you do not plan to use this
interface for your firewall management, or using a direct serial connection to the console port on the device.
Set Up Network Access to the Firewall

Step 1

Gather the required information from


your network administrator.

IP address for MGT port


Netmask
Default gateway
DNS server address

Step 2

Connect your computer to the firewall.

You can connect to the firewall in one of the following ways:


Connect a serial cable from your computer to the Console port
and connect to the firewall using terminal emulation software
(9600-8-N-1). Wait a few minutes for the boot-up sequence to
complete; when the device is ready, the prompt changes to the
name of the firewall, for example PA-500 login.
Connect an RJ-45 Ethernet cable from your computer to the
MGT port on the firewall. From a browser, go to
https://192.168.1.1. Note that you may need to change the IP
address on your computer to an address in the 192.168.1.0
network, such as 192.168.1.2, in order to access this URL.

Step 3

When prompted, log in to the firewall.

You must log in using the default username and password


(admin/admin). The firewall will begin to initialize.

Step 4

Configure the MGT interface.

1.
2.

3.
4.

5.

18 PAN-OS 7.0 Administrators Guide

Select Device > Setup > Management and then edit the
Management Interface Settings.
Enter the IP Address, Netmask, and Default Gateway.
To prevent unauthorized access to the management
interface, it is a best practice to Add the Permitted IP
Addresses from which an administrator can access the
MGT interface.
Set the Speed to auto-negotiate.
Select which management services to allow on the interface.
Make sure Telnet and HTTP are not selected because
these services use plaintext and are not as secure as the
other services and could compromise administrator
credentials.
Click OK.

Palo Alto Networks

Getting Started

Integrate the Firewall into Your Management Network

Set Up Network Access to the Firewall (Continued)

Step 5

Configure general firewall settings as


needed.
As a best practice, add a login
banner that indicates that access
to the firewall is restricted to
prevent unauthorized users from
accessing the management
functions. It is a good idea to
avoid using welcoming verbiage
and to run your messaging by your
legal department to ensure that
you are providing adequate
warning that unauthorized access
is prohibited.

Step 6

1.
2.

3.

4.
5.

Configure DNS, update server, and proxy 1.


server settings.
You must manually configure at
least one DNS server on the
firewall or it will not be able to
2.
resolve hostnames; it will not use
DNS server settings from another
source, such as an ISP.

Select Device > Setup > Management and edit the General
Settings.
Enter a Hostname for the firewall and enter your network
Domain name. The domain name is just a label; it will not be
used to join the domain.
Enter Login Banner text that informs users who are attempting
to log in that they are that they must have authorization to access
the firewall management functions.
Enter the Latitude and Longitude to enable accurate placement
of the firewall on the world map.
Click OK.

Select Device > Setup > Services.


For multi-virtual system platforms, select Global and edit the
Services section.
For single virtual system platforms, edit the Services section.
On the Services tab, for DNS, click one of the following:
ServersEnter the Primary DNS Server address and
Secondary DNS Server address.
DNS Proxy ObjectFrom the drop-down, select the DNS
Proxy that you want to use to configure global DNS services,
or click DNS Proxy to configure a new DNS proxy object.

3.

4.

5.

(Optional) For Update Server, enter the IP address or host


name of the server from which to download updates from Palo
Alto Networks. The current value is
updates.paloaltonetworks.com. Do not change the Update
Server unless instructed by Technical Support.
(Optional) Click Verify Update Server Identity for an extra
level of validation. The firewall will check the update servers
SSL certificate to ensure that it was signed by a trusted authority.
(Optional) If the firewall needs to use a proxy server to reach
Palo Alto Networks update services, in the Proxy Server
window, enter:
ServerIP address or host name of the proxy server.
PortPort for the proxy server. Range: 1-65535.
UserUsername to access the server.
PasswordPassword for the user to access the proxy server.
Re-enter the password at Confirm Password.

6.

Palo Alto Networks

Click OK.

PAN-OS 7.0 Administrators Guide 19

Integrate the Firewall into Your Management Network

Getting Started

Set Up Network Access to the Firewall (Continued)

Step 7

Configure date and time (NTP) settings.

1.

Select Device > Setup > Services.


For multi-virtual system platforms, select Global and edit the
Services section.
For single virtual system platforms, edit the Services section.

2.

3.
4.

On the NTP tab, to use the virtual cluster of time servers on the
Internet, enter the hostname pool.ntp.org as the Primary NTP
Server or enter the IP address of your primary NTP server.
(Optional) Enter a Secondary NTP Server address.
(Optional) To authenticate time updates from the NTP
server(s), for Authentication Type, select one of the following
for each server:
None(Default) Disables NTP authentication.
Symmetric KeyFirewall uses symmetric key exchange
(shared secrets) to authenticate time updates.
Key IDEnter the Key ID (1-65534).
AlgorithmSelect the algorithm to use in NTP
authentication (MD5 or SHA1).
AutokeyFirewall uses autokey (public key cryptography) to
authenticate time updates.

5.

Click OK.
Select Device > Administrators.
Select the admin role.
Enter the current default password and the new password.
Click OK to save your settings.

Step 8

Set a secure password for the admin


account.

1.
2.
3.
4.

Step 9

Commit your changes.

Click Commit. The device may take up to 90 seconds to save your


changes.

When the configuration changes


are saved, you will lose
connectivity to the web interface
because the IP address will have
changed.
Step 10 Connect the firewall to your network.

1.
2.

Disconnect the firewall from your computer.


Connect the MGT port to a switch port on your management
network using an RJ-45 Ethernet cable. Make sure that the
switch port you cable the firewall to is configured for
auto-negotiation.

Step 11 Open an SSH management session to the Using a terminal emulation software, such as PuTTY, launch an SSH
firewall.
session to the firewall using the new IP address you assigned to it.

20 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Getting Started

Integrate the Firewall into Your Management Network

Set Up Network Access to the Firewall (Continued)

Step 12 Verify network access to external services


required for firewall management, such as
the Palo Alto Networks Update Server, in
one of the following ways:
If you do not want to allow external
network access to the MGT interface,
you will need to set up a data port to
retrieve required service updates.
Continue to Set Up Network Access
for External Services.
If you do plan to allow external
network access to the MGT interface,
verify that you have connectivity and
then proceed to Register the Firewall
and Activate Licenses and
Subscriptions.

Palo Alto Networks

If you cabled your MGT port for external network access, verify that
you have access to and from the firewall by using the ping utility from
the CLI. Make sure you have connectivity to the default gateway,
DNS server, and the Palo Alto Networks Update Server as shown in
the following example:
admin@PA-200> ping host updates.paloaltonetworks.com
PING updates.paloaltonetworks.com (67.192.236.252) 56(84)
bytes of data.
64 bytes from 67.192.236.252 : icmp_seq=1 ttl=243 time=40.5 ms
64 bytes from 67.192.236.252 : icmp_seq=1 ttl=243 time=53.6 ms
64 bytes from 67.192.236.252 : icmp_seq=1 ttl=243 time=79.5 ms

After you have verified connectivity, press Ctrl+C to stop the


pings.

PAN-OS 7.0 Administrators Guide 21

Integrate the Firewall into Your Management Network

Getting Started

Set Up Network Access for External Services


By default, the firewall uses the MGT interface to access remote services, such as DNS servers, content updates,
and license retrieval. If you do not want to enable external network access to your management network, you
must set up a data port to provide access to these required external services.
This task requires familiarity with firewall interfaces, zones, and policies. For more information on
these topics, see Create the Security Perimeter.

For information on setting up network access to external services on a virtual system basis rather than a global
basis, see Per-Virtual System Service Routes.
Set Up a Data Port for Access to External Services

Step 1

Decide which port you want to use for


The interface you use must have a static IP address.
access to external services and connect it
to your switch or router port.

Step 2

Log in to the web interface.

Using a secure connection (https) from your web browser, log in


using the new IP address and password you assigned during initial
configuration (https://<IP address>). You will see a certificate
warning; that is okay. Continue to the web page.

Step 3

(Optional) The firewall comes


preconfigured with a default virtual wire
interface between ports Ethernet 1/1 and
Ethernet 1/2 (and a corresponding
default security policy and zones). If you
do not plan to use this virtual wire
configuration, you must manually delete
the configuration to prevent it from
interfering with other interface settings
you define.

You must delete the configuration in the following order:


1. To delete the default security policy, select Policies > Security,
select the rule, and click Delete.
2. Next, delete the default virtual wire by selecting Network >
Virtual Wires, selecting the virtual wire and clicking Delete.
3. To delete the default trust and untrust zones, select Network >
Zones, select each zone and click Delete.
4. Finally, delete the interface configurations by selecting Network
> Interfaces and then select each interface (ethernet1/1 and
ethernet1/2) and click Delete.
5. Commit the changes.

22 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Getting Started

Integrate the Firewall into Your Management Network

Set Up a Data Port for Access to External Services (Continued)

Step 4

Configure the interface.

1.
2.

3.
4.
5.

6.
7.

8.

Palo Alto Networks

Select Network > Interfaces and select the interface that


corresponds to the port you cabled in Step 1.
Select the Interface Type. Although your choice here depends
on your network topology, this example shows the steps for
Layer3.
On the Config tab, expand the Security Zone drop-down and
select New Zone.
In the Zone dialog, define a Name for new zone, for example
L3-trust, and then click OK.
Select the IPv4 tab, select the Static radio button, and click Add
in the IP section, and enter the IP address and network mask to
assign to the interface, for example 192.168.1.254/24.
Select Advanced > Other Info, expand the Management Profile
drop-down, and select New Management Profile.
Enter a Name for the profile, such as allow_ping, and then
select the services you want to allow on the interface. For the
purposes of allowing access to the external services, you
probably only need to enable Ping and then click OK.
These services provide management access to the
device, so only select the services that correspond to the
management activities you want to allow on this
interface. For example, if you plan to use the MGT
interface for device configuration tasks through the web
interface or CLI, you would not want to enable HTTP,
HTTPS, SSH, or Telnet so that you could prevent
unauthorized access through this interface (and if you
did allow those services, you should limit access to a
specific set of Permitted IP Addresses).
To save the interface configuration, click OK.

PAN-OS 7.0 Administrators Guide 23

Integrate the Firewall into Your Management Network

Getting Started

Set Up a Data Port for Access to External Services (Continued)

Step 5

Because the firewall uses the MGT


1.
interface by default to access the external
services it requires, you must change the
interface the firewall uses to send these
requests by editing the service routes.

2.

Select Device > Setup > Services > Service Route


Configuration.

For the purposes of activating your licenses and getting


the most recent content and software updates, you will
want to change the service route for DNS, Palo Alto
Updates, URL Updates, and WildFire.
Click the Customize radio button, and select one of the
following:
For a predefined service, select IPv4 or IPv6 and click the link
for the service for which you want to modify the Source
Interface and select the interface you just configured.
If more than one IP address is configured for the selected
interface, the Source Address drop-down allows you select
an IP address.
To create a service route for a custom destination, select
Destination, and click Add. Enter a Destination name and
select a Source Interface. If more than one IP address is
configured for the selected interface, the Source Address
drop-down allows you select an IP address.

3.
4.
5.

24 PAN-OS 7.0 Administrators Guide

Click OK to save the settings.


Repeat steps 2-3 above for each service route you want to
modify.
Commit your changes.

Palo Alto Networks

Getting Started

Integrate the Firewall into Your Management Network

Set Up a Data Port for Access to External Services (Continued)

Step 6

Configure an external-facing interface


1.
and an associated zone and then create
security and NAT policy rules to allow the
firewall to send service requests from the
internal zone to the external zone.
2.

Step 7

Select Network > Interfaces and then select your


external-facing interface. Select Layer3 as the Interface Type,
Add the IP address (on the IPv4 or IPv6 tab), and create the
associated Security Zone (on the Config tab), such as l3-untrust.
You do not need to set up management services on this
interface.
To set up a security rule that allows traffic from your internal
network to the Palo Alto Networks update server, select
Policies > Security and click Add. For the purposes of initial
configuration, you can create a simple rule that allows all traffic
from l3-trust to l3-untrust as follows:

3.

If you are using a private IP address on the internal-facing


interface, you will need to create a source NAT rule to translate
the address to a publicly routable address. Select Policies > NAT
and then click Add. At a minimum you must define a name for
the rule (General tab), specify a source and destination zone,
l3-trust to l3-untrust in this case (Original Packet tab), and
define the source address translation settings (Translated
Packet tab) and then click OK.

4.

Commit your changes.

Verify that you have connectivity from the


data port to the external services,
including the default gateway, and the
Palo Alto Networks Update Server.

Launch the CLI and use the ping utility to verify that you have
connectivity. Keep in mind that by default pings are sent from the
MGT interface, so in this case you must specify the source interface
for the ping requests as follows:

After you verify you have the required


network connectivity, continue to
Register the Firewall and Activate
Licenses and Subscriptions.

admin@PA-200> ping source 192.168.1.254 host


updates.paloaltonetworks.com
PING updates.paloaltonetworks.com (67.192.236.252) from
192.168.1.254 : 56(84) bytes of data.
64 bytes from 67.192.236.252: icmp_seq=1 ttl=242 time=56.7 ms
64 bytes from 67.192.236.252: icmp_seq=2 ttl=242 time=47.7 ms
64 bytes from 67.192.236.252: icmp_seq=3 ttl=242 time=47.6 ms
^C

After you have verified connectivity, press Ctrl+C to stop the pings.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 25

Integrate the Firewall into Your Management Network

Getting Started

Register the Firewall


Register the Firewall

Step 1

Log in to the web interface.

Using a secure connection (https) from your web browser, log in


using the new IP address and password you assigned during initial
configuration (https://<IP address>). You will see a certificate
warning; that is okay. Continue to the web page.

Step 2

Locate your serial number and copy it to On the Dashboard, locate your Serial Number in the General
the clipboard.
Information section of the screen.

Step 3

Go to the Palo Alto Networks Support


site.

Step 4

Register the device. The way you register If this is the first Palo Alto Networks device you are registering and
depends on whether you already have a
you do not yet have a login, click Register on the right side of the
page. To register, you must provide your sales order number or
login to the support site.
customer ID, and the serial number of your firewall (which you can
paste from your clipboard) or the authorization code you received
with your order. You will also be prompted to set up a username
and password for access to the Palo Alto Networks support
community.

In a new browser tab or window, go to


https://support.paloaltonetworks.com.

If you already have a support account, log in and then click My


Devices. Scroll down to Register Device section at the bottom of
the screen and enter the serial number of your firewall (which you
can paste from your clipboard), your city and postal code and then
click Register Device.

26 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Getting Started

Integrate the Firewall into Your Management Network

Activate Licenses and Subscriptions


Before you can start using your firewall to secure the traffic on your network, you must activate the licenses for
each of the services you purchased. Available licenses and subscriptions include the following:

Threat PreventionProvides antivirus, anti-spyware, and vulnerability protection.

Decryption MirroringProvides the ability to create a copy of decrypted traffic from a firewall and send it
to a traffic collection tool that is capable of receiving raw packet capturessuch as NetWitness or Solera
for archiving and analysis.

URL FilteringAllows you create security policy to enforce web access based on dynamic URL categories.
You must purchase and install a subscription for one of the supported URL filtering databases: PAN-DB or
BrightCloud. With PAN-DB, you can set up access to the PAN-DB public cloud or to the PAN-DB private
cloud. For more information about URL filtering, see Control Access to Web Content.

Virtual SystemsThis license is required to enable support for multiple virtual systems on PA-2000 and
PA-3000 Series firewalls. In addition, you must purchase a Virtual Systems license if you want to increase the
number of virtual systems beyond the base number provided by default on PA-4000 Series, PA-5000 Series,
and PA-7000 Series firewalls (the base number varies by platform). The PA-500, PA-200, and VM-Series
firewalls do not support virtual systems.

WildFireAlthough basic WildFire support is included as part of the Threat Prevention license, the
WildFire subscription service provides enhanced services for organizations that require immediate coverage
for threats, frequent WildFire signature updates, advanced file type forwarding (APK, PDF, Microsoft
Office, and Java Applet), as well as the ability to upload files using the WildFire API. A WildFire subscription
is also required if your firewalls will be forwarding files to a WF-500 appliance.

GlobalProtectProvides mobility solutions and/or large-scale VPN capabilities. By default, you can deploy
GlobalProtect portals and gateways (without HIP checks) without a license. If you want to use HIP checks,
you will also need gateway licenses (subscription) for each gateway.

Activate Licenses

Step 1

Locate the activation codes for the


licenses you purchased.

When you purchased your subscriptions you should have received an


email from Palo Alto Networks customer service listing the
activation code associated with each subscription. If you cannot
locate this email, contact customer support to obtain your activation
codes before you proceed.

Step 2

Launch the web interface and go to the


license page.

Select Device > Licenses.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 27

Integrate the Firewall into Your Management Network

Getting Started

Activate Licenses (Continued)

Step 3

Activate each license you purchased.

After purchasing your licenses/subscriptions activate them in one of


the following ways:
Retrieve license keys from license serverUse this option if
you activated your license on the support portal.
Activate feature using authorization codeUse this option to
enable purchased subscriptions using an authorization code for
licenses that have not been previously activated on the support
portal. When prompted, enter the Authorization Code and then
click OK.
Manually upload license keyUse this option if your device
does not have connectivity to the Palo Alto Networks support
site. In this case, you must download a license key file from the
support site on an Internet connected computer and then upload
to the device.

Step 4

Verify that the license was successfully


activated

On the Device > Licenses page, verify that the license was
successfully activated. For example, after activating the WildFire
license, you should see that the license is valid:

Step 5

(WildFire subscriptions only) Perform a


commit to complete WildFire
subscription activation.

After activating a WildFire subscription, a commit is required for the


firewall to begin forwarding advanced file types:
Commit any pending changes.
Make a minor change and perform a commit. For example, update
a rule description and commit the change.
Check that the WildFire Analysis profile rules include the
advanced file types that are now supported with the WildFire
subscription. If no change to any of the rules is required,
make a minor edit to a rule description and perform a
commit.

28 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Getting Started

Integrate the Firewall into Your Management Network

Manage Content Updates


In order to stay ahead of the changing threat and application landscape, Palo Alto Networks maintains a Content
Delivery Network (CDN) infrastructure for delivering content updates to the Palo Alto Networks devices. The
devices access the web resources in the CDN to perform various App-ID and Content-ID functions. By default,
the devices use the management port to access the CDN infrastructure for application updates, threat and
antivirus signature updates, BrightCloud and PAN-DB database updates and lookups, and access to the Palo
Alto Networks WildFire cloud. To ensure that you are always protected from the latest threats (including those
that have not yet been discovered), you must ensure that you keep your devices up-to-date with the latest
updates published by Palo Alto Networks.
The following content updates are available, depending on which subscriptions you have:
Although you can manually download and install content updates at any time, as a best practice
you should Schedule each update. Scheduled updates occur automatically.

AntivirusIncludes new and updated antivirus signatures, including signatures discovered by the WildFire
cloud service. You must have a Threat Prevention subscription to get these updates. New antivirus signatures
are published daily.

ApplicationsIncludes new and updated application signatures. This update does not require any
additional subscriptions, but it does require a valid maintenance/support contract. New application updates
are published weekly. To review the policy impact of new application updates, see Manage New App-IDs
Introduced in Content Releases.

Applications and ThreatsIncludes new and updated application and threat signatures. This update is
available if you have a Threat Prevention subscription (and you get it instead of the Applications update).
New Applications and Threats updates are published weekly.

GlobalProtect Data FileContains the vendor-specific information for defining and evaluating host
information profile (HIP) data returned by GlobalProtect agents. You must have a GlobalProtect gateway
license and create an update schedule in order to receive these updates.

BrightCloud URL FilteringProvides updates to the BrightCloud URL Filtering database only. You must
have a BrightCloud subscription to get these updates. New BrightCloud URL database updates are published
daily. If you have a PAN-DB license, scheduled updates are not required as devices remain in-sync with the
servers automatically.

WildFireProvides near real-time malware and antivirus signatures created as a result of the analysis done
by the WildFire cloud service. Without the subscription, you must wait 24 to 48 hours for the signatures to
roll into the Applications and Threat update.
If your firewall does not have Internet access from the management port, you can download
content updates from the Palo Alto Networks Support portal and then Upload them to your
firewall.
If your firewall is deployed behind existing firewalls or proxy servers, access to these external
resources might be restricted using access control lists that allow the firewall to only access a
hostname or an IP address. In such cases, to allow access to the CDN, set the update server
address to use the hostname staticupdates.paloaltonetworks.com or the IP address
199.167.52.15. For details on setting up CDN access, see Content Delivery Network
Infrastructure for Dynamic Updates.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 29

Integrate the Firewall into Your Management Network

Getting Started

Update Content

Step 1

Verify that the firewall points to the


CDN infrastructure.

Select Device > Setup > Services.


As a best practice, set the Update Server to access
updates.paloaltonetworks.com. This allows the
firewall to receive content updates from the server to which it is
closest in the CDN infrastructure.
(Optional) If the firewall has restricted access to the Internet, set
the update server address to use the hostname
staticupdates.paloaltonetworks.com or the IP
address 199.167.52.15.
For additional security, select Verify Update Server Identity. The
firewall verifies that the server from which the software or
content package is download has an SSL certificate signed by a
trusted authority.

Step 2

Launch the web interface and go to the


Dynamic Updates page.

Select Device > Dynamic Updates.

Step 3

Check for the latest updates.

Click Check Now (located in the lower left-hand corner of the


window) to check for the latest updates. The link in the Action
column indicates whether an update is available:
DownloadIndicates that a new update file is available. Click the
link to begin downloading the file directly to the firewall. After
successful download, the link in the Action column changes from
Download to Install.

You cannot download the antivirus database until you


have installed the Application and Threats database.
UpgradeIndicates that there is a new version of the
BrightCloud database available. Click the link to begin the
download and installation of the database. The database upgrade
begins in the background; when completed a check mark displays
in the Currently Installed column. Note that if you are using
PAN-DB as your URL filtering database you will not see an
upgrade link because the PAN-DB database automatically stays in
sync with the server.

To check the status of an action, click Tasks (on the


lower right-hand corner of the window).
RevertIndicates that a previously installed version of the
content or software version is available. You can choose to revert
to the previously installed version.

30 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Getting Started

Integrate the Firewall into Your Management Network

Update Content (Continued)

Step 4

Install the updates.


Installation can take up to 20
minutes on a PA-200, PA-500, or
PA-2000 Series device and up to
two minutes on a PA-3000 Series,
PA-4000 Series, PA-5000 Series,
PA-7000 Series, or VM-Series
firewall.

Step 5

Schedule each update.

Click the Install link in the Action column. When the installation
completes, a check mark displays in the Currently Installed column.

1.

Set the schedule of each update type by clicking the None link.

2.
Stagger the update schedules
because the firewall can only
download one update at a time. If
you schedule the updates to
download during the same time
interval, only the first download 3.
will succeed.

Specify how often you want the updates to occur by selecting a


value from the Recurrence drop-down. The available values
vary by content type (WildFire updates are available Every 15
minutes, Every 30 minutes or Every Hour whereas all other
content types can be scheduled for Daily or Weekly update).
Specify the Time and (or, minutes past the hour in the case of
WildFire), if applicable depending on the Recurrence value
you selected, Day of the week that you want the updates to
occur.
Specify whether you want the system to Download Only or, as
a best practice, Download And Install the update.
In rare instances, errors in content updates may be found. For
this reason, you may want to delay installing new updates until
they have been released for a certain number of hours. You can
specify how long after a release to wait before performing a
content update by entering the number of hours to wait in the
Threshold (Hours) field.
Click OK to save the schedule settings.
Click Commit to save the settings to the running configuration.

Repeat this step for each update you want


to schedule.

4.
5.

6.
7.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 31

Integrate the Firewall into Your Management Network

Getting Started

Install Software Updates


When installing a new firewall, it is a good idea to upgrade to the latest software update (or to the update version
that your reseller or Palo Alto Networks Systems Engineer recommends) to take advantage of the latest fixes
and security enhancements. Before updating the software, make sure you have the latest content updates as
detailed in Manage Content Updates (the Release Notes for a software update specify the minimum content
release version supported in the release).

32 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Getting Started

Create the Security Perimeter

Create the Security Perimeter


Traffic must pass through the firewall in order for the firewall to manage and control it. Physically, traffic enters
and exits the firewall through interfaces. The firewall determines how to act on a packet based on whether the
packet matches a security policy rule. At the most basic level, each security policy rule must identify where the traffic
came from and where it is going. On a Palo Alto Networks next-generation firewall, security policy rules are
applied between zones. A zone is a grouping of interfaces (physical or virtual) that provides an abstraction for
an area of trust for simplified policy enforcement. For example, in the following topology diagram, there are
three zones: Trust, Untrust, and DMZ. Traffic can flow freely within a zone, but traffic will not be able to flow
between zones until you define a security policy rule that allows it.

The following topics describe the components of the security perimeter and provide steps for configuring the
firewall interfaces, defining zones, and setting up a basic security policy that allows traffic from your internal
zone to the Internet and to the DMZ. By initially creating a basic security policy rulebase like this, you will be
able to analyze the traffic running through your network and use this information to define more granular
policies for safely enabling applications while preventing threats.

Basic Interface Deployments

About Security Policy

Plan the Deployment

Configure Interfaces and Zones

Set Up Basic Security Policies

If you use private IP addresses in your internal networks, you will also need to configure network address
translation (NAT).

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 33

Create the Security Perimeter

Getting Started

Basic Interface Deployments


All Palo Alto Networks next-generation firewalls provide a flexible networking architecture that includes
support for dynamic routing, switching, and VPN connectivity, enabling you to deploy the firewall into nearly
any networking environment. When configuring the Ethernet ports on your firewall, you can choose from
virtual wire, Layer 2, or Layer 3 interface deployments. In addition, to allow you to integrate into a variety of
network segments, you can configure different types of interfaces on different ports. The following sections
provide basic information on each type of deployment.

Virtual Wire Deployments

Layer 2 Deployments

Layer 3 Deployments

For more detailed deployment information, refer to Designing Networks with Palo Alto Networks Firewalls.

Virtual Wire Deployments


In a virtual wire deployment, the firewall is installed transparently on a network segment by binding two ports
together. By using a virtual wire, you can install the firewall in any network environment without reconfiguring
adjacent devices. If necessary, a virtual wire can block or allow traffic based on the virtual LAN (VLAN) tag
values. You can also create multiple subinterfaces and classify traffic according to an IP Address (address, range,
or subnet), VLAN, or a combination of the two.
By default, the virtual wire (named default-vwire) binds Ethernet ports 1 and 2 and allows all untagged traffic.
Choose this deployment to simplify installation and configuration and/or avoid configuration changes to
surrounding network devices.
A virtual wire is the default configuration, and should be used only when no switching or routing is needed. If
you do not plan to use the default virtual wire, you should manually delete the configuration before proceeding
with interface configuration to prevent it from interfering with other interface settings you define. For
instructions on how to delete the default virtual wire and its associated security policy and zones, see Step 3 in
Set Up a Data Port for Access to External Services.

Layer 2 Deployments
In a Layer 2 deployment, the firewall provides switching between two or more interfaces. Each group of
interfaces must be assigned to a VLAN object in order for the firewall to switch between them. The firewall will
perform VLAN tag switching when Layer 2 subinterfaces are attached to a common VLAN object. Choose this
option when switching is required.
For more information on Layer 2 deployments, refer to the Layer 2 Networking Tech Note and/or the Securing
Inter VLAN Traffic Tech Note.

34 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Getting Started

Create the Security Perimeter

Layer 3 Deployments
In a Layer 3 deployment, the firewall routes traffic between ports. An IP address must be assigned to each
interface and a virtual router must be defined to route the traffic. Choose this option when routing is required.
You must assign an IP address to each physical Layer 3 interface you configure. You can also create logical
subinterfaces for each physical Layer 3 interface that allows you to segregate the traffic on the interface based
on VLAN tag (when VLAN trunking is in use) or by IP address, for example for multi-tenancy.
In addition, because the firewall must route traffic in a Layer 3 deployment, you must configure a virtual router.
You can configure the virtual router to participate with dynamic routing protocols (BGP, OSPF, or RIP) as well
as adding static routes. You can also create multiple virtual routers, each maintaining a separate set of routes that
are not shared between virtual routers, enabling you to configure different routing behaviors for different
interfaces. For more information on routing integrations on the firewall, see the PAN-OS Admin Guide.
The configuration example in this chapter illustrates how to integrate the firewall into your Layer 3 network
using static routes.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 35

Create the Security Perimeter

Getting Started

About Security Policy


Security Policy protects network assets from threats and disruptions and aids in optimally allocating network
resources for enhancing productivity and efficiency in business processes. On the Palo Alto Networks firewall,
security policy rules determine whether to block or allow a session based on traffic attributes such as the source
and destination security zone, the source and destination IP address, the application, user, and the service.
For traffic that doesnt match any defined rules, the default rules apply. The default rulesdisplayed at the
bottom of the security rulebaseare predefined to allow all intrazone (within the zone) traffic and deny all
interzone (between zones) traffic. Although these rules are part of the pre-defined configuration and are
read-only by default, you can override them and change a limited number of settings, including the tags, action
(allow or deny), log settings, and security profiles.
Security policies rules are evaluated left to right and from top to bottom. A packet is matched against the first
rule that meets the defined criteria; after a match is triggered the subsequent rules are not evaluated. Therefore,
the more specific rules must precede more generic ones in order to enforce the best match criteria. Traffic that
matches a rule generates a log entry at the end of the session in the traffic log, if logging is enabled for that rule.
The logging options are configurable for each rule, and can for example be configured to log at the start of a
session instead of, or in addition to, logging at the end of a session.

Actions in Security Policy

About Policy Objects

About Security Profiles

Actions in Security Policy


For traffic that matches the attributes defined in a security policy, you can apply the following actions:
Action
Allow (default

Description

action)

Allows the traffic.

Deny

Blocks traffic, and enforces the default Deny Action defined for the application
that is being denied. To view the deny action defined by default for an
application, view the application details in Objects > Applications or check the
application details in Applipedia.

Drop

Silently drops the traffic; for an application, it overrides the default deny action. A TCP
reset is not sent to the host/application.

For Layer 3 interfaces, to optionally send an ICMP unreachable response to the


client, set Action: Drop and enable the Send ICMP Unreachable check box. When
enabled, the firewall sends the ICMP code for communication with the destination is
administratively prohibited ICMPv4: Type 3, Code 13; ICMPv6: Type 1, Code 1.
Reset client

Sends a TCP reset to the client-side device.

Reset server

Sends a TCP reset to the server-side device.

Reset both

Sends a TCP reset to both the client-side and server-side devices.

36 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Getting Started

Create the Security Perimeter

A reset is sent only after a session is formed. If the session is blocked before a 3-way handshake is completed, the
firewall will not send the reset.
For a TCP session with a reset action, the firewall does not send an ICMP Unreachable response.
For a UDP session with a drop or reset action, if the ICMP Unreachable check box is selected, the firewall sends an
ICMP message to the client.

About Policy Objects


A policy object is a single object or a collective unit that groups discrete identities such as IP addresses, URLs,
applications, or users. With Policy Objects that are a collective unit, you can reference the object in security
policy instead of manually selecting multiple objects one at a time. Typically, when creating a policy object, you
group objects that require similar permissions in policy. For example, if your organization uses a set of server
IP addresses for authenticating users, you can group the set of server IP addresses as an address group policy
object and reference the address group in the security policy. By grouping objects, you can significantly reduce
the administrative overhead in creating policies.
Some examples of address and application policy objects are shown in the security policies that are included in
Create Security Rules. For information on the other policy objects, see Enable Basic Threat Prevention Features.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 37

Create the Security Perimeter

Getting Started

About Security Profiles


While security policies enable you to allow or deny traffic on your network, security profiles help you define an
allow but scan rule, which scan allowed applications for threats. When traffic matches the allow rule defined in
the security policy, the Security Profiles that are attached to the rule are applied for further content inspection
rules such as antivirus checks and data filtering.
Security profiles are not used in the match criteria of a traffic flow. The security profile is applied
to scan traffic after the application or category is allowed by the security policy.

The different types of security profiles that can be attached to security policies are: Antivirus, Anti-Spyware,
Vulnerability Protection, URL Filtering, File Blocking, and Data Filtering. The firewall provides default security
profiles that you can use out of the box to begin protecting your network from threats. See Create Security Rules
for information on using the default profiles in your security policy. As you get a better understanding about the
security needs on your network, you can create custom profiles. See Scan Traffic for Threats for more
information.

38 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Getting Started

Create the Security Perimeter

Plan the Deployment


Before you begin configuring interfaces and zones, take some time to plan the zones you will need based on the
different usage requirements within your organization. In addition, you should gather all of the configuration
information you will need ahead of time. At a basic level, you should plan which interfaces will belong to which
zones. For Layer 3 deployments youll also need to obtain the required IP addresses and network configuration
information from your network administrator, including information on how to configure the routing protocol
or static routes required for the virtual router configuration. The example in this chapter will be based on the
following topology:
Figure: Layer 3 Topology Example

The following table shows the information we will use to configure the Layer 3 interfaces and their
corresponding zones as shown in the sample topology.
Zone

Deployment Type

Interface(s)

Configuration Settings

Untrust

L3

Ethernet1/3

IP address: 203.0.113.100/24
Virtual router: default
Default route: 0.0.0.0/0
Next hop: 203.0.113.1

Trust

L3

Ethernet1/4

IP address: 192.168.1.4/24
Virtual router: default

DMZ

L3

Ethernet1/13

IP address: 10.1.1.1/24
Virtual router: default

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 39

Create the Security Perimeter

Getting Started

Configure Interfaces and Zones


After you plan your zones and the corresponding interfaces, you can configure them on the device. The way
you configure each interface depends on your network topology.
The following procedure shows how to configure a Layer 3 deployment as depicted in Figure: Layer 3 Topology
Example.
The firewall comes preconfigured with a default virtual wire interface between ports Ethernet 1/1
and Ethernet 1/2 (and a corresponding default security policy and virtual router). If you do not plan
to use the default virtual wire, you must manually delete the configuration and commit the change
before proceeding to prevent it from interfering with other settings you define. For instructions on
how to delete the default virtual wire and its associated security policy and zones, see Step 3 in
Set Up a Data Port for Access to External Services.

Set Up Interfaces and Zones

Step 1

Configure a default route to your


Internet router.

1.
2.

3.

4.
Step 2

Configure the external interface (the


interface that connects to the Internet).

1.

2.

3.

4.
5.

6.

7.

40 PAN-OS 7.0 Administrators Guide

Select Network > Virtual Router and then select the default
link to open the Virtual Router dialog.
Select the Static Routes tab and click Add. Enter a Name for the
route and enter the route in the Destination field (for example,
0.0.0.0/0).
Select the IP Address radio button in the Next Hop field and
then enter the IP address and netmask for your Internet gateway
(for example, 203.00.113.1).
Click OK twice to save the virtual router configuration.
Select Network > Interfaces and then select the interface you
want to configure. In this example, we are configuring
Ethernet1/3 as the external interface.
Select the Interface Type. Although your choice here depends
on your network topology, this example shows the steps for
Layer3.
On the Config tab, select New Zone from the Security Zone
drop-down. In the Zone dialog, define a Name for new zone,
for example Untrust, and then click OK.
In the Virtual Router drop-down, select default.
To assign an IP address to the interface, select the IPv4 tab, click
Add in the IP section, and enter the IP address and network
mask to assign to the interface, for example 208.80.56.100/24.
To enable you to ping the interface, select Advanced > Other
Info, expand the Management Profile drop-down, and select
New Management Profile. Enter a Name for the profile, select
Ping and then click OK.
To save the interface configuration, click OK.

Palo Alto Networks

Getting Started

Create the Security Perimeter

Set Up Interfaces and Zones (Continued)

Step 3

Configure the interface that connects to


your internal network.
In this example, the interface
connects to a network segment
that uses private IP addresses.
Because private IP addresses
cannot be routed externally, you
will have to configure NAT.

1.

2.
3.

4.
5.

6.
7.
Step 4

Configure the interface that connects to


the DMZ.

1.
2.

3.

4.
5.

6.
7.

Select Network > Interfaces and select the interface you want
to configure. In this example, we are configuring Ethernet1/4 as
the internal interface.
Select Layer3 from the Interface Type drop-down.
On the Config tab, expand the Security Zone drop-down and
select New Zone. In the Zone dialog, define a Name for new
zone, for example Trust, and then click OK.
Select the same Virtual Router you used in Step 2, default in this
example.
To assign an IP address to the interface, select the IPv4 tab, click
Add in the IP section, and enter the IP address and network
mask to assign to the interface, for example 192.168.1.4/24.
To enable you to ping the interface, select the management
profile that you created in Step 2-6.
To save the interface configuration, click OK.
Select the interface you want to configure.
Select Layer3 from the Interface Type drop-down. In this
example, we are configuring Ethernet1/13 as the DMZ
interface.
On the Config tab, expand the Security Zone drop-down and
select New Zone. In the Zone dialog, define a Name for new
zone, for example DMZ, and then click OK.
Select the Virtual Router you used in Step 2, default in this
example.
To assign an IP address to the interface, select the IPv4 tab, click
Add in the IP section, and enter the IP address and network
mask to assign to the interface, for example 10.1.1.1/24.
To enable you to ping the interface, select the management
profile that you created in Step 2-6.
To save the interface configuration, click OK.

Step 5

Save the interface configuration.

Click Commit.

Step 6

Cable the firewall.

Attach straight through cables from the interfaces you configured to


the corresponding switch or router on each network segment.

Step 7

Verify that the interfaces are active.

From the web interface, select Network > Interfaces and verify that
icon in the Link State column is green. You can also monitor link
state from the Interfaces widget on the Dashboard.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 41

Create the Security Perimeter

Getting Started

Set Up Basic Security Policies


Policies allow you to enforce rules and take action. The different types of policy rules that you can create on the
firewall are: Security, NAT, Quality of Service (QoS), Policy Based Forwarding (PBF), Decryption, Application
Override, Captive Portal, Denial of Service, and Zone protection policies. All these different policies work
together to allow, deny, prioritize, forward, encrypt, decrypt, make exceptions, authenticate access, and reset
connections as needed to help secure your network. This section covers basic security policies and the default
security profiles:

Create Security Rules

Test Your Security Policies

Monitor Network Traffic

Create Security Rules


Security policies reference security zones and enable you to allow, restrict, and track traffic on your network.
Because each zone implies a level of trust, the implicit rule for passing traffic between two different zones is
deny, and the traffic within a zone is permitted. To allow traffic between two different zones, you must create a
security rule that allows traffic to flow between them.
While setting up the basic framework for securing the enterprise perimeter, its good idea to start with a simple
security policy that allows traffic between the different zones without being too restrictive. As illustrated in the
following section, our objective is to minimize the likelihood of breaking applications that users on the network
need access to, while providing visibility into the applications and the potential threats for your network.
When defining policies make sure that you do not create a policy that denies all traffic from any
source zone to any destination zone as this will break intra-zone traffic that is implicitly allowed.
By default, intra-zone traffic is permitted because the source and destination zones are the same
and therefore share the same level of trust.

42 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Getting Started

Create the Security Perimeter

Define Basic Security Rules

Step 1

Permit Internet access for all users on the To safely enable applications that are required for day-to-day
enterprise network.
business operations we will create a simple rule that allows access to
the Internet. To provide basic threat protection, we will attach the
Zone: Trust to Untrust
default security profiles available on the firewall.
By default, the firewall includes a 1. Select Policies > Security and click Add.
security rule named rule1 that
2. Give the rule a descriptive name in the General tab.
allows all traffic from Trust zone
3. In the Source tab, set the Source Zone to Trust.
to Untrust zone. You can either
delete the rule or modify the rule 4. In the Destination tab, Set the Destination Zone to Untrust.
to reflect your zone-naming
To scan policy rules and visually identify the zones on
convention.
each rule, create a tag with the same name as the zone.
For example, to color code the Trust zone as green,
select Objects > Tags, click Add and Name the tag Trust,
and select the Color green.

5.
6.

In the Service/ URL Category tab, select service-http and


service-https.
In the Actions tab, complete these tasks:
a. Set the Action Setting to Allow.
b. Attach the default profiles for antivirus, anti-spyware,
vulnerability protection and URL filtering, under Profile
Setting.

Step 2

Permit users on the internal network to


access the servers in the DMZ.
Zone: Trust to DMZ

7.

Verify that logging is enabled at the end of a session under


Options. Only traffic that matches a security rule will be logged.

1.
2.
3.
4.
5.

Click Add in the Policies > Security section.


Give the rule a descriptive name in the General tab.
In the Source tab, set the Source Zone to Trust.
In the Destination tab, set the Destination Zone to DMZ.
In the Service/ URL Category tab, make sure the Service is set
to application-default.
In the Actions tab, set the Action Setting to Allow.
Leave all the other options at the default values.

If using IP addresses for


configuring access to the servers
in the DMZ, make sure to always
refer to the original IP addresses in 6.
the packet (i.e. the pre-NAT
7.
addresses), and the post-NAT
zone.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 43

Create the Security Perimeter

Getting Started

Define Basic Security Rules (Continued)

Step 3

Step 4

Restrict access from the Internet to the To restrict inbound access to the DMZ from the Internet, configure
servers on the DMZ to specific server IP a rule that allows access only to specific servers IP addresses and on
addresses only.
the default ports that the applications use.
Add to add a new rule, and give it a descriptive name.
For example, you might only allow users 1. Click
2. In the Source tab, set the Source Zone to Untrust.
to access the webmail servers from
outside.
3. In the Destination tab, set the Destination Zone to DMZ.
4. Set the Destination Address to the Public web server address
Zone: Untrust to DMZ
object you created earlier. The public web server address object
references the public IP address208.80.56.11/24of the web
server that is accessible on the DMZ.
5. Select the webmail application in the Application tab.
The Service is set to application-default by default.

Allow access from the DMZ to your


internal network (Trust zone). To
minimize risk, you will allow traffic only
between specific servers and destination
addresses. For example, if you have an
application server on the DMZ that needs
to communicate with a specific database
server in your Trust zone, create a rule to
allow traffic between a specific source to
a specific destination.

6.

Set the Action Setting to Allow.

1.
2.
3.
4.

Click Add to add a new rule, and give it a descriptive name.


Set the Source Zone to DMZ.
Set the Destination Zone to Trust.
Create a an address object that specifies the server(s) on your
Trust zone that can be accessed from the DMZ.

5.

In the Destination tab on the Security Policy rule, set the


Destination Address to the Address object you created above.
In the Actions tab, complete these tasks:
a. Set the Action Setting to Allow.

Zone: DMZ to Trust

6.

b. Attach the default profiles for antivirus, anti-spyware,


vulnerability protection, under Profile Setting.
c. In the Other Settings section, select the option to Disable
Server Response Inspection. This setting disables the
antivirus and anti-spyware scanning on the server-side
responses, and thus reduces the load on the firewall.

44 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Getting Started

Create the Security Perimeter

Define Basic Security Rules (Continued)

Step 5

Enable the servers on the DMZ to obtain 1.


updates and hot fixes from the Internet. 2.
Say, for example, you would like to allow
3.
the Microsoft Update service.
4.
Zone: DMZ to Untrust

5.
6.

Step 6

Save your policies to the running


configuration on the device.

Palo Alto Networks

Add a new rule and give it a descriptive label.


Set the Source Zone to DMZ.
Set the Destination Zone to Untrust.
Create an application group to specify the applications that you
would like to allow. In this example, we allow Microsoft updates
(ms-updates) and dns.

The Service is set to application-default by default.


This allows the firewall to permit the applications only
when they use the standard ports associated with these
applications.
Set the Action Setting to Allow.
Attach the default profiles for antivirus, anti-spyware, and
vulnerability protection, under Profiles.

Click Commit.

PAN-OS 7.0 Administrators Guide 45

Create the Security Perimeter

Getting Started

Test Your Security Policies


To verify that you have set up your basic policies effectively, test whether your security policies are being
evaluated and determine which security rule applies to a traffic flow.
Verify Policy Match Against a Flow

To verify the policy rule that matches a flow, use the For example, to verify the policy rule that will be applied for a
following CLI command:
server on the DMZ with the IP address 208.90.56.11 when it
test security-policy-match source
<IP_address> destination <IP_address>
destination port <port_number> protocol
<protocol_number>

accesses the Microsoft update server, you will try the following
command:

test security-policy-match source 208.80.56.11


The output displays the best rule that matches the destination 176.9.45.70 destination-port 80
protocol 6
source and destination IP address specified in the
CLI command.
"Updates-DMZ to Internet" {
from dmz;
source any;
source-region any;
to untrust;
destination any;
destination-region any;
user any;
category any;
application/service[dns/tcp/any/53
dns/udp/any/53 dns/udp/any/5353
ms-update/tcp/any/80 ms-update/tcp/any/443];
action allow;
terminal yes;

Monitor Network Traffic


Now that you have a basic security policy, you can review the statistics and data in the Application Command
Center (ACC), traffic logs, and the threat logs to observe trends on your network, to identify where you need to
create more granular policies.
Monitor Network Traffic

Use the Application Command Center and Use In the ACC, review the most used applications and the high-risk
the Automated Correlation Engine.
applications on your network. The ACC graphically summarizes the
log information to highlight the applications traversing the network,
who is using them (with User-ID enabled), and the potential security
impact of the content to help you identify what is happening on the
network in real time. You can then use this information to create
appropriate security policy rules that block unwanted applications,
while allowing and enabling applications in a secure manner.
The Compromised Hosts widget in ACC > Threat Activity displays
potentially compromised hosts on your network and the logs and
match evidence that corroborates the events.

46 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Getting Started

Create the Security Perimeter

Monitor Network Traffic

Determine what updates/modifications are


required for your network security policy rules
and implement the changes.

For example:
Evaluate whether to allow content based on schedule, users, or
groups.
Allow or control certain applications or functions within an
application.
Decrypt and inspect content.
Allow but scan for threats and exploits.
For information on refining your security policies and for attaching
custom security profiles, see Enable Basic Threat Prevention
Features.

View the Log Files.

Specifically, view the traffic and threat logs (Monitor > Logs).
Traffic logs are dependent on how your security policies are
defined and set up to log traffic. The Application Usage
widget in the ACC, however, records applications and
statistics regardless of policy configuration; it shows all traffic
that is allowed on your network, therefore it includes the
inter-zone traffic that is allowed by policy and the same zone
traffic that is allowed implicitly

Monitor Web Activity of Network Users.

Palo Alto Networks

Review the URL filtering logs to scan through alerts, denied


categories/URLs. URL logs are generated when a traffic matches a
security rule that has a URL filtering profile attached with an action
of alert, continue, override or block.

PAN-OS 7.0 Administrators Guide 47

Enable Basic Threat Prevention Features

Getting Started

Enable Basic Threat Prevention Features


The Palo Alto Networks next-generation firewall has unique threat prevention capabilities that allow it to
protect your network from attack despite evasive, tunneled, or circumvention techniques. The threat prevention
features on the firewall include the WildFire service, the Security Profiles that support Antivirus, Anti-Spyware,
Vulnerability Protection, URL Filtering, File Blocking and Data Filtering capabilities and the Denial of Service
(DoS) and Zone protection functionality.
Before you can apply threat prevention features, you must first configure zonesto identify one
or more source or destination interfacesand security policy rules. To configure interfaces,
zones, and the policies that are needed to apply threat prevention features, see Configure
Interfaces and Zones and Set Up Basic Security Policies.

To begin protecting your network from threats start here:

Enable WildFire

Scan Traffic for Threats

Control Access to Web Content

48 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Getting Started

Enable Basic Threat Prevention Features

Enable WildFire
The WildFire service is included as part of the base product. The WildFire service enables the firewall to
forward attachments to a sandbox environment where applications are run to detect any malicious activity. As
new malware is detected by the WildFire service, malware signatures are automatically generated and are made
available within 24-48 hours in the antivirus daily downloads. Your threat prevention subscription entitles you
to antivirus signature updates that include signatures discovered by WildFire.
Consider purchasing the WildFire subscription service for these additional benefits:

Sub-hourly (as often as every 15 minutes) WildFire signature updates.

Advanced file type forwarding for APKs, Flash files, PDFs, Microsoft Office files, Java Applets, Java files
(.jar and .class), and HTTP/HTTPS email links contained in SMTP and POP3 email messages. Portable
Executable (PE) files can be forwarded for WildFire analysis both with and without a WildFire subscription.

Ability to upload files using the WildFire API.

Ability to forward files to a private WF-500 WildFire appliance. When using a WildFire appliance, you can
also set up a WildFire hybrid cloud, enabling the WildFire appliance to analyze sensitive file types locally,
while other files less sensitive file types (such as PEs) or file types not supported for WildFire appliance
analysis (such as APKs) can be forwarded to the WildFire cloud.

Enable WildFire

Step 1

Confirm that your device is registered


1.
and that you have a valid support account
as well as any subscriptions you require. 2.
3.

Step 2

Set the WildFire forwarding options.


If you do not have a WildFire
subscription you can only forward
PEs.

1.
2.

Go to the Palo Alto Networks Support Site, log in, and select My
Devices.
Verify that the firewall is listed. If it is not listed, see Register the
Firewall.
(Optional) Activate Licenses and Subscriptions.
Select Device > Setup > WildFire and edit the General Settings.
(Optional) Specify the WildFire cloud or WildFire appliance (or
both) to which the firewall will forward files for analysis. By
default, the firewall will forward files to the public WildFire
cloud hosted in the United States
(wildfire.paloaltonetworks.com). To forward files to the
WildFire cloud hosted in Japan or to enable file-forwarding to a
WildFire appliance, update the following fields:
WildFire Public CloudTo forward files to the public
WildFire cloud running in Japan, enter
wildfire.paloaltonetworks.jp.
WildFire Private CloudTo forward files to a private
WildFire cloud, enter the IP address or FQDN of your
WF-500 WildFire appliance.

3.

4.

Palo Alto Networks

(Optional) If you want to change the maximum file size that the
firewall can forward for a specific type of file, modify the value
in the corresponding field.
Click OK to save your changes.

PAN-OS 7.0 Administrators Guide 49

Enable Basic Threat Prevention Features

Getting Started

Enable WildFire (Continued)

Step 3

Set up a WildFire Analysis profile to


forward files to WildFire.

1.
2.
3.
4.
5.

6.
7.
Step 4

Attach the WildFire Analysis profile to


the security policies that allow access to
the Internet.

1.
2.
3.

Step 5

Save the configuration.

Step 6

Verify that the firewall is forwarding files 1.


to the WildFire cloud or the WildFire
appliance.

Enter a Name and optionally a Description for the profile.


Click Add to create a forwarding rule and enter a name.
Define traffic to be forwarded to the WildFire service based on
Applications, File Types, or transmission Direction.
In the Analysis column, select public-cloud to forward the
defined files to the WildFire cloud or select private-cloud to
forward files to the WildFire appliance.
(Optional) Add additional forwarding rules as necessary.
Click OK to save the profile.
Select Policies > Security and either select an existing policy or
create a new policy as described in Create Security Rules.
Click the Actions tab within the security policy.
In the Profile Settings section, click the drop-down and select
the WildFire Analysis profile you created for WildFire
forwarding. (If you dont see a drop-down for selecting a profile,
select Profiles from the Profile Type drop-down.

Click Commit.

2.

50 PAN-OS 7.0 Administrators Guide

Select Objects > Security Profiles > WildFire Analysis and click
Add.

Select Monitor > Logs > WildFire Submissions to WildFire


logs. For each log entry displayed, the firewall has successfully
forwarded the file to WildFire and WildFire has returned a file
analysis report.
Check the WildFire Cloud column to view if a file was
forwarded to the WildFire cloud or the WildFire appliance for
analysis.

Palo Alto Networks

Getting Started

Enable Basic Threat Prevention Features

Scan Traffic for Threats


Security Profiles provide threat protection in security policies. For example, you can apply an antivirus profile
to a security policy and all traffic that matches the security policy will be scanned for viruses.
The following sections provide steps for setting up a basic threat prevention configuration:

Set Up Antivirus, Anti-Spyware, and Vulnerability Protection

Set Up File Blocking

Set Up Antivirus, Anti-Spyware, and Vulnerability Protection


Every Palo Alto Networks next-generation firewall comes with predefined Antivirus, Anti-Spyware, and
Vulnerability Protection profiles that you can attach to security policies. There is one predefined Antivirus
profile, default, which uses the default action for each protocol (block HTTP, FTP, and SMB traffic and alert on
SMTP, IMAP, and POP3 traffic). There are two predefined Anti-Spyware and Zone Protection profiles:

defaultApplies

the default action to all client and server critical, high, and medium severity
spyware/vulnerability protection events. It does not detect low and informational events.

strictApplies the block response to all client and server critical, high and medium severity
spyware/vulnerability protection events and uses the default action for low and informational events.

To ensure that the traffic entering your network is free from threats, attach the predefined profiles to your basic
web access policies. As you monitor the traffic on your network and expand your policy rulebase, you can then
design more granular profiles to address your specific security needs.
Set up Antivirus/Anti-Spyware/Vulnerability Protection

Step 1

Verify that you have a Threat Prevention The Threat Prevention license bundles the Antivirus,
license.
Anti-Spyware, and the Vulnerability Protection features in one
license.
Select Device > Licenses to verify that the Threat Prevention
license is installed and valid (check the expiration date).

Step 2

Download the latest antivirus threat


signatures.

1.
2.

Palo Alto Networks

Select Device > Dynamic Updates and click Check Now at the
bottom of the page to retrieve the latest signatures.
In the Actions column, click Download to install the latest
Antivirus, and Applications and Threats signatures.

PAN-OS 7.0 Administrators Guide 51

Enable Basic Threat Prevention Features

Getting Started

Set up Antivirus/Anti-Spyware/Vulnerability Protection (Continued)

Step 3

Schedule signature updates.

1.

Perform a download-and-install
on a daily basis for antivirus
2.
updates and weekly for
applications and threats updates.

3.

4.

From Device > Dynamic Updates, click the text to the right of
Schedule to automatically retrieve signature updates for
Antivirus and Applications and Threats.
Specify the frequency and timing for the updates and whether
the update will be downloaded and installed or only
downloaded. If you select Download Only, you would need to
manually go in and click the Install link in the Action column to
install the signature. When you click OK, the update is scheduled.
No commit is required.
(Optional) You can also enter the number of hours in the
Threshold field to indicate the minimum age of a signature
before a download will occur. For example, if you entered 10, the
signature must be at least 10 hours old before it will be
downloaded, regardless of the schedule.
In an HA configuration, you can also click the Sync To Peer
option to synchronize the content update with the HA peer
after download/install. This will not push the schedule settings
to the peer device, you need to configure the schedule on each
device.

Recommendations for HA Configurations:

Active/Passive HAIf the MGT port is used for antivirus signature downloads, you should configure a schedule on
both devices and both devices will download/install independently. If you are using a data port for downloads, the
passive device will not perform downloads while it is in the passive state. In this case you would set a schedule on both
devices and then select the Sync To Peer option. This will ensure that whichever device is active, the updates will occur
and will then push to the passive device.
Active/Active HAIf the MGT port is used for antivirus signature downloads on both devices, then schedule the
download/install on both devices, but do not select the Sync To Peer option. If you are using a data port, schedule the
signature downloads on both devices and select Sync To Peer. This will ensure that if one device in the active/active
configuration goes into the active-secondary state, the active device will download/install the signature and will then
push it to the active-secondary device.

52 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Getting Started

Enable Basic Threat Prevention Features

Set up Antivirus/Anti-Spyware/Vulnerability Protection (Continued)

Step 4

Attach the security profiles to a security


policy.

1.

2.
Attach a clone of a predefined
security profile to your basic
security policies. That way, if you
want to customize the profile you
can do so without deleting the
read-only predefined strict or
default profile and attaching a
customized profile.

Step 5

Save the configuration.

Palo Alto Networks

Select Policies > Security, select the desired policy to modify it


and then click the Actions tab.
In Profile Settings, click the drop-down next to each security
profile you would like to enable. In this example we choose
default for Antivirus, Vulnerability Protection, and
Anti-Spyware.
If you dont see drop-downs for selecting profiles, select
Profiles from the Profile Type drop-down.

Click Commit.

PAN-OS 7.0 Administrators Guide 53

Enable Basic Threat Prevention Features

Getting Started

Set Up File Blocking


File Blocking Profiles allow you to identify specific file types that you want to want to block or monitor. The
following workflow shows how to set up a basic file blocking profile that prevents users from downloading
executable files from the Internet.
Configure File Blocking

Step 1

Create the file blocking profile.

1.

Select Objects > Security Profiles > File Blocking and click
Add.

2.
3.
Step 2

Configure the file blocking options.

1.
2.
3.
4.
5.
6.

Enter a Name for the file blocking profile, for example


Block_EXE.
Optionally enter a Description, such as Block users from
downloading exe files from websites.
Click Add to define the profile settings.
Enter a Name, such as BlockEXE.
Set the Applications to which to apply file blocking, or leave it
set to any.
Set File Types to block. For example, to block download of
executables, you would select exe.
Specify the Direction in which to block files: download, upload,
or both.
Set the Action to one of the following:
continue(web traffic only) Files matching the selected
criteria will trigger a customizable response page that requires
users to click Continue in order to proceed with the
download/upload. You must enable response pages on the
associated interfaces if you plan to use this option (Step 4).
blockFiles matching the selected criteria will be blocked
from download/upload.
alertFiles matching the selected criteria will be allowed,
but will generate a log entry in the data filtering log.

Step 3

Attach the file blocking profile to the


security policies that allow access to
content.

54 PAN-OS 7.0 Administrators Guide

7.

Click OK to save the profile.

1.

Select Policies > Security and either select an existing policy or


create a new policy as described in Create Security Rules.
Click the Actions tab within the security policy.
In the Profile Settings section, click the drop-down and select
the file blocking profile you created.
If you dont see drop-downs for selecting profiles, select
Profiles from the Profile Type drop-down.

2.
3.

Palo Alto Networks

Getting Started

Enable Basic Threat Prevention Features

Configure File Blocking (Continued)

Step 4

Enable response pages in the


1.
management profile for each interface on
which you are attaching file blocking
profile with a continue action.
2.
3.
4.
5.
6.

Step 5

Test the file blocking configuration.

Select Network > Network Profiles > Interface Mgmt and then
select an interface profile to edit or click Add to create a new
profile.
Select Response Pages, as well as any other management
services required on the interface.
Click OK to save the interface management profile.
Select Network > Interfaces and select the interface to which to
attach the profile.
On the Advanced > Other Info tab, select the interface
management profile you just created.
Click OK to save the interface settings.

Access a client PC in the trust zone of the firewall and attempt to


download an.exe file from a website in the untrust zone. Make sure
the file is blocked as expected based on the action you defined in the
file blocking profile:
If you selected alert as the action, check the data filtering log to
make sure you see a log entry for the request.
If you selected block as the action, the File Blocking Block Page
response page should display.
If you selected the continue action, the File Blocking Continue
Page response page should display. Click Continue to download
the file. The following shows the default File Blocking Continue
Page.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 55

Enable Basic Threat Prevention Features

Getting Started

Control Access to Web Content


URL Filtering provides visibility and control over web traffic on your network. With URL filtering enabled, the
firewall can categorize web traffic into one or more (from approximately 60) categories. You can then create
policies that specify whether to allow, block, or log (alert) traffic based on the category to which it belongs. The
following workflow shows how to enable PAN-DB for URL filtering, create security profiles, and attach them
to security policies to enforce a basic URL filtering policy.
Configure URL Filtering

Step 1

Confirm license information for URL


Filtering.

1.
2.

Step 2

Download the seed database and activate 1.


the license.

Create a URL filtering profile.

3.

1.

Select Objects > Security Profiles > URL Filtering.

Because the default URL filtering 2.


profile blocks risky and
threat-prone content, clone this 3.
profile when creating a new
profile in order to preserve the
default settings.

56 PAN-OS 7.0 Administrators Guide

To download the seed database, click Download next to


Download Status in the PAN-DB URL Filtering section of the
Licenses page.
Choose a region (North America, Europe, APAC, Japan) and
then click OK to start the download.
After the download completes, click Activate.

2.

Step 3

Obtain and install a URL Filtering license. See Activate Licenses


and Subscriptions for details.
Select Device > Licenses and verify that the URL Filtering
license is valid.

Select the default profile and then click Clone. The new profile
will be named default-1.
Select the new profile and rename it.

Palo Alto Networks

Getting Started

Enable Basic Threat Prevention Features

Configure URL Filtering (Continued)

Step 4

Define how to control access to web


content.

1.

If you are not sure what traffic you want


to control, consider setting the categories
(except for those blocked by default) to
alert. You can then use the visibility tools
on the firewall, such as the ACC and App
Scope, to determine which web categories
to restrict to specific groups or to block
entirely. You can then go back and modify
the profile to block and allow categories
as desired.

For each category that you want visibility into or control over,
select a value from the Action column as follows:
If you do not care about traffic to a particular category (that
is you neither want to block it nor log it), select allow.
For visibility into traffic to sites in a category, select alert.
To present a response page to users attempting to access a
particular category to alert them to the fact that the content
they are accessing might not be work appropriate, select
continue.
To prevent access to traffic that matches the associated
policy, select block (this also generates a log entry).

You can also define specific sites to always


allow or always block regardless of
category and enable the safe search
option to filter search results when
defining the URL Filtering profile.

Step 5

Attach the URL filtering profile to a


security policy.

2.

Click OK to save the URL filtering profile.

1.
2.

Select Policies > Security.


Select the desired policy to modify it and then click the Actions
tab.
If this is the first time you are defining a security profile, select
Profiles from the Profile Type drop-down.

3.
4.

5.
6.

Palo Alto Networks

In the Profile Settings list, select the profile you just created
from the URL Filtering drop-down. (If you dont see
drop-downs for selecting profiles, select Profiles from the
Profile Type drop-down.)
Click OK to save the profile.
Commit the configuration.

PAN-OS 7.0 Administrators Guide 57

Enable Basic Threat Prevention Features

Getting Started

Configure URL Filtering (Continued)

Step 6

Enable Response Pages in the


1.
management profile for each interface on
which you are filtering web traffic.
2.
3.
4.
5.
6.

Select Network > Network Profiles > Interface Mgmt and then
select an interface profile to edit or click Add to create a new
profile.
Select Response Pages, as well as any other management
services required on the interface.
Click OK to save the interface management profile.
Select Network > Interfaces and select the interface to which to
attach the profile.
On the Advanced > Other Info tab, select the interface
management profile you just created.
Click OK to save the interface settings.

Step 7

Save the configuration.

Click Commit.

Step 8

Test the URL filtering configuration.

Access a client PC in the trust zone of the firewall and attempt to


access a site in a blocked category. Make sure URL filtering is applied
based on the action you defined in the URL filtering profile:
If you selected alert as the action, check the data filtering log to
make sure you see a log entry for the request.
If you selected the continue action, the URL Filtering Continue
and Override Page response page should display. Continue to the
site.
If you selected block as the action, the URL Filtering and
Category Match Block Page response page should display as
follows:

For More Information


For more detailed information on how to protect your enterprise from threats, see Threat Prevention. For
details on how to scan encrypted (SSH or SSL) traffic for threats, see Decryption.
For information about the threats and applications that Palo Alto Networks products can identify, visit the
following links:

ApplipediaProvides details on the applications that Palo Alto Networks can identify.

Threat VaultLists threats that Palo Alto Networks products can identify. You can search by Vulnerability,
Spyware, or Virus. Click the Details icon next to the ID number for more information about a threat.

58 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Getting Started

Best Practices for Completing the Firewall Deployment

Best Practices for Completing the Firewall Deployment


Now that you have integrated the firewall into your network and enabled the basic security features, you can
begin configuring more advanced features. Here are some things to consider next:

Learn about the different Management Interfaces that are available to you and how to access and use
them.

Set up High AvailabilityHigh availability (HA) is a configuration in which two firewalls are placed in a
group and their configuration is synchronized to prevent a single point to failure on your network. A
heartbeat connection between the firewall peers ensures seamless failover in the event that a peer goes
down. Setting up the firewalls in a two-device cluster provides redundancy and allows you to ensure
business continuity.

Configure the Master KeyEvery Palo Alto Networks firewall has a default master key that encrypts
private keys that are used to authenticate administrators when they access management interfaces on the
firewall. As a best practice to safeguard the keys, configure the master key on each firewall to be unique.

Manage Firewall AdministratorsEvery Palo Alto Networks firewall and appliance is preconfigured with
a default administrative account (admin) that provides full read-write access (also known as superuser
access) to the device. As a best practice, create a separate administrative account for each person who
needs access to the administrative or reporting functions of the firewall. This allows you to better protect
the device from unauthorized configuration (or modification) and to enable logging of the actions of each
individual administrator.

Enable User Identification (User-ID)User-ID is a Palo Alto Networks next-generation firewall feature
that allows you to create policies and perform reporting based on users and groups rather than individual
IP addresses.

Enable DecryptionPalo Alto Networks firewalls provide the capability to decrypt and inspect traffic for
visibility, control, and granular security. Use decryption on a firewall to prevent malicious content from
entering your network or sensitive content from leaving your network concealed as encrypted or tunneled
traffic.

Enable Passive DNS Collection for Improved Threat IntelligenceEnable this opt-in feature to enable
the firewall to act as a passive DNS sensor and send select DNS information to Palo Alto Networks for
analysis in order to improve threat intelligence and threat prevention capabilities.

Follow the Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 59

Best Practices for Completing the Firewall Deployment

60 PAN-OS 7.0 Administrators Guide

Getting Started

Palo Alto Networks

Device Management
Administrators can configure, manage, and monitor the Palo Alto Networks firewalls using the web interface,
the CLI, and the API management interface. Role-based administrative access to the management interfaces can
be customized in order to delegate specific tasks or permissions to certain administrators. See the following
topics for information on device management options, including how to begin using the management interfaces
and how to customize administrator roles:

Management Interfaces

Manage Firewall Administrators

Reference: Web Interface Administrator Access

Reference: Port Numbers Used by Palo Alto Networks Devices

Reset the Firewall to Factory Default Settings

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 61

Management Interfaces

Device Management

Management Interfaces
PAN-OS firewalls and Panorama provide three user interfaces: a web interface, a command line interface (CLI),
and a XML-based management API. See the following topics for how to access and begin using each of the
device management interfaces:

Use the Web Interface to complete administrative tasks and generate reports from the web interface with
relative ease. This graphical interface allows you to access the firewall using HTTPS and it is the best way to
perform administrative tasks.

Use the Command Line Interface (CLI) to type through the commands in rapid succession to complete a
series of tasks. The CLI is a no-frills interface that supports two command modes and each mode has its
own hierarchy of commands and statements. When you get familiar with the nesting structure and the syntax
of the commands, the CLI allows quick response times and offers administrative efficiency.

Use the XML API to streamline your operations and integrate with existing, internally developed
applications and repositories. The XML API is provided as a web service that is implemented using
HTTP/HTTPS requests and responses.

62 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Management Interfaces

Use the Web Interface


The following topics describes how to begin using the firewall web interface. For detailed information about the
tabs and fields that are available in the web interface, refer to the Web Interface Reference Guide.

Launch the Web Interface

Navigate the Web Interface

Commit or Validate Changes

Global Find

Use Configuration Pages

Required Fields

Lock Transactions

Launch the Web Interface


The following web browsers are supported for access to the web interface for PAN-OS firewalls and Panorama:

Internet Explorer 7+

Firefox 3.6+

Safari 5+

Chrome 11+

Launch an Internet browser and enter the firewalls IP address. Enter your user credentials. If logging in to the
firewall for the first time, type the default admin into both the Name and Password fields.
To view information on how to use a specific page and an explanation of the fields and options on the page,
in the upper right area of the page to open the online help system. In addition to
click the Help icon
displaying context-sensitive help for a page, clicking the Help icon displays a help navigation pane with options
to browse and search all help content.

Navigate the Web Interface


The following conventions apply when using the web interface.

To display the menu items for a general functional category, click the tab, such as Objects or Device, near the
top of the browser window.

Click an item on the side menu to display a panel.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 63

Management Interfaces

Device Management

To display submenu items, click the


to the left of the item.

To search the candidate configuration on a firewall or on Panorama for a particular string, click the Search
icon to start a Global Find search.

On most configuration pages, you can click Add to create a new item.

To delete one or more items, select their check boxes and click Delete. In most cases, the system prompts
you to confirm by clicking OK or to cancel the deletion by clicking Cancel.

On some configuration pages, you can select the check box for an item and click Clone to create a new item
with the same information as the selected item.

To modify an item, click its underlined link.

64 PAN-OS 7.0 Administrators Guide

icon to the left of an item. To hide submenu items, click the

icon

Palo Alto Networks

Device Management

Management Interfaces

To view the current list of tasks, click the Tasks icon in the lower right corner of the page. The Task Manager
window opens to show the list of tasks, along with status, start times, associated messages, and actions. Use
the Show drop-down to filter the list of tasks.

The web interface language is controlled by the current language of the computer that is managing the device
if a specific language preference has not been defined. For example, if the computer you use to manage the
firewall has a locale of Spanish, when you log in to the firewall, the web interface will be in Spanish.

To specify a language that will always be used for a given account regardless of the locale of the computer,
click the Language icon in the lower right corner of the page and the Language Preference window opens.
Click the drop-down to select the desired language and then click OK to save your change.

On pages that list information you can modify (for example, the Setup page on the Devices tab), click the
icon in the upper right corner of a section to edit the settings.

After you configure settings, you must click OK or Save to store the changes. When you click OK, the current
candidate configuration is updated.

Commit or Validate Changes


Click Commit at the top of the web interface to open the commit dialog box.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 65

Management Interfaces

Device Management

The following options are available in the commit dialog box. Click the Advanced link, if necessary, to display
the options:

Include Device and Network configurationInclude

the device and network configuration changes in the

commit operation.

Include Shared Object configuration(Multi-virtual system firewalls only) Include the shared object
configuration changes in the commit operation.

Include Policy and Object configuration(Non-multi-virtual system firewalls only) Include the policy and
object configuration changes in the commit operation.

Include Virtual System configurationInclude all virtual systems or choose Select one or more virtual systems.

Preview ChangesClick this button to display a two-pane window that shows proposed changes in the
candidate configuration compared to the current running configuration. You can choose the number of lines
of context to display, or show all lines. Changes are color coded based on items that have been added,
modified, or deleted.

Validate ChangesClick this button to perform a syntactic validation (of configuration syntax) and semantic

validation (whether the configuration is complete and makes sense) of a firewall or Panorama candidate
configuration before committing it. The results display all of the errors and warnings of a full commit or
virtual system commit, including rule shadowing and application dependency warnings. Possible errors
could be an invalid route destination or a missing account and password that are required to query a server.
Such validation significantly reduces failures at commit time.

66 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Management Interfaces

Global Find
Global Find enables you to search the candidate configuration on a firewall or on Panorama for a particular
string, such as an IP address, object name, policy rule name, threat ID, or application name. The search results
are grouped by category and provide links to the configuration location in the web interface, so that you can
easily find all of the places where the string is referenced. The search results also help you identify other objects
that depend on or make reference to the search term or string. For example, when deprecating a security profile
enter the profile name in Global Find to locate all instances of the profile and then click each instance to
navigate to the configuration page and make the necessary change. After all references are removed, you can
then delete the profile. You can do this for any configuration item that has dependencies.
Global Find will not search dynamic content (such as logs, address ranges, or allocated DHCP
addresses). In the case of DHCP, you can search on a DHCP server attribute, such as the DNS
entry, but you cannot search for individual addresses allocated to users. Global Find also does
not search for individual user or group names identified by User-ID unless the user/group is
defined in a policy. In general, you can only search content that the firewall writes to the
configuration.

Use Global Find

Launch Global Find by clicking the Search icon located on the upper right of the web interface.

To access the Global Find from within a configuration area, click the drop-down next to an item and
click Global Find as follows:

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 67

Management Interfaces

Device Management

Use Global Find (Continued)

For example, click Global Find on a zone named l3-vlan-trust to search the candidate
configuration for each location where the zone is referenced. The following screen capture shows the
search results for the zone l3-vlan-trust:

Search tips:
If you initiate a search on a firewall that has multiple virtual systems enabled or if custom Administrative Roles
are defined, Global Find will only return results for areas of the firewall in which the administrator has
permissions. The same applies to Panorama device groups.
Spaces in search terms are handled as AND operations. For example, if you search on corp policy, the
search results include instances where corp and policy exist in the configuration.
To find an exact phrase, enclose the phrase in quotation marks.
To rerun a previous search, click the Search icon located on the upper right of the web interface and a list of
the last 20 searches will be displayed. Click an item in the list to rerun that search. The search history list is
unique to each administrator account.

Use Configuration Pages


The tables on configuration pages include sorting and column chooser options. Click a column header to sort
on that column, and click again to change the sort order. Click the arrow to the right of any column and select
check boxes to choose the columns to display.

Required Fields
Required fields are shown with a light yellow background. A message indicating that the field is required appears
when you hover over or click in the field entry area.

68 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Management Interfaces

Lock Transactions
The web interface provides support for multiple administrators by allowing an administrator to lock a current
set of transactions, thereby preventing configuration changes or commit operations by another administrator
until the lock is removed. The following types of locks are supported:

Config lockBlocks

other administrators from making changes to the configuration. This type of lock can
be set globally or for a virtual system. It can be removed only by the administrator who set it or by a
superuser on the system.

Commit LockBlocks

other administrators from committing changes until all of the locks have been
released. This type of lock prevents collisions that can occur when two administrators are making changes
at the same time and the first administrator finishes and commits changes before the second administrator
has finished. The lock is released when the current changes are committed by the administrator who applied
the lock, or it can be released manually.

Any administrator can open the lock window to view the current transactions that are locked, along with a time
stamp for each.
To lock a transaction, click the unlocked icon
on the top bar to open the Locks dialog box. Click Take a
Lock, select the scope of the lock from the drop-down, and click OK. Add additional locks as needed, and then
click Close to close the Lock dialog box.
The transaction is locked, and the icon on the top bar changes to a locked icon that shows the number of locked
items in parentheses.
To unlock a transaction, click the locked icon
on the top bar to open the Locks window. Click the
icon
for the lock that you want to remove, and click Yes to confirm. Click Close to close the Lock dialog box.
You can arrange to automatically acquire a commit lock by selecting the Automatically acquire commit lock check
box in the Management area of the Device Setup page.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 69

Management Interfaces

Device Management

Use the Command Line Interface (CLI)


The PAN-OS CLI allows you to access Firewall and Panorama devices, view status and configuration
information, and modify configurations. Access to the PAN-OS CLI is provided through SSH, Telnet, or direct
console access.
The following topics describe how to access and begin using the PAN-OS CLI:

Access the PAN-OS CLI

Operational and Configuration Modes

Access the PAN-OS CLI


Use a terminal emulator, such as PuTTY, to connect to the CLI in one of the following ways:

SSH ConnectionIf you Perform Initial Configuration, you can establish a CLI connection over the
network using a secure shell (SSH) connection.

Serial ConnectionIf you have not yet completed initial configuration or if you chose not to enable SSH
on the firewall, you can establish a direct serial connection from a serial interface on your management
computer to the Console port on the firewall.

Access the PAN-OS CLI

Step 1

Launch the terminal emulation software and select the type of connection (Serial or SSH).
To establish an SSH connection, enter the hostname or IP address of the firewall or Panorama you want to
connect to and set the port to 22.
To establish a Serial connection, connect a serial interface on management computer to the Console port on
the firewall. Configure the Serial connection settings in the terminal emulation software as follows:
Data rate: 9600
Data bits: 8
Parity: none
Stop bits: 1
Flow control: none

Step 2

When prompted to log in, enter your administrative username.


The default superuser username is admin. To set up CLI access for other administrative users, Configure an
Administrative Account.

Step 3

Enter the administrative password.


The default superuser password is admin. However, for security reasons you should immediately change the
admin password.
The CLI opens in Operational mode, and the CLI prompt is displayed:
username@hostname>
You can tell you are in Operational mode because the command prompt ends with a >.

70 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Management Interfaces

Operational and Configuration Modes


When you log in, the PAN-OS CLI opens in operational mode. You can move between operational and
configuration modes at any time. Use operational mode to view the state of the system, navigate the PAN-OS
CLI, and enter configuration mode. Use configuration mode to view and modify the configuration hierarchy.

To enter configuration mode from operational mode, use the configure command:
username@hostname> configure
Entering configuration mode
[edit]
username@hostname#

To leave configuration mode and return to operational mode, use the quit or exit command:
username@hostname# quit
Exiting configuration mode
username@hostname>

To enter an operational mode command while in configuration mode, use the run command, for example:
username@hostname# run ping host 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data
...
username@hostname#

To direct an Operational mode command to a particular VSYS, specify the target VSYS with the following
command:
username@hostname# set system setting target-vsys <vsys_name>

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 71

Management Interfaces

Device Management

Use the XML API


Palo Alto Networks XML API uses standard HTTP requests to send and receive data, allowing access to several
types of data on the device so the data can be easily integrated with and used in other systems. Use the
XML-based Management API to view a firewall or Panoramas configuration, extract report data in XML
format, and execute operational commands. API calls can be made directly from command line utilities such as
cURL or wget, or using any scripting or application framework that supports RESTful services. When using the
API with command lines tools, both HTTP GET and POST methods are supported.
You must generate an API key in order to use the XML API. The API key authenticates the user to the firewall,
application, or Panorama. After you have generated an API key, you can use the key to perform device
configuration and operational tasks, retrieve reports and logs, and import and export files. See Generate an API
Key for steps to generate an API key.
The following table shows the URL structure for API requests:
PAN-OS Version

XML API URL Structure

Prior to PAN-OS 4.1.0

http(s)://hostname/esp/restapi.esp?request-parameters-values

PAN-OS 4.1.0 and later

http(s)://hostname/api/?request-parameters-values

URL structure item definitions:


hostnameDevices IP address or Domain name.
request-parameters-valuesA series of multiple parameter=value pairs separated by the ampersand
character (&). These values can either be keywords or data-values in standard or XML format (response data is
always in XML format).

There are APIs for PAN-OS, User-ID, and WildFire products. For more information on how to use the API
interface, refer to the PAN-OS XML API Usage Guide.

Generate an API Key


In order to use the API to manage a firewall or application, an API key is required to authenticate all API calls.
Admin account credentials are used to generate API keys.
As a best practice, create a separate admin account for XML-based administration.

Generate an API key

Step 1

Create an administrator account.

1.

In the web interface, on the Device > Administrators tab, click


Add.

2.
3.
4.

72 PAN-OS 7.0 Administrators Guide

Enter a login Name for the admin.


Enter and confirm a Password for the admin.
Click OK and Commit.

Palo Alto Networks

Device Management

Management Interfaces

Generate an API key (Continued)

Step 2

Request an API key.

Replace the hostname, username and password parameters in the


following URL with the appropriate values from your administrator
account credentials:
http(s)://hostname/api/?type=keygen&user=username&pas
sword=password
The API key is displayed in an XML block. For example:
<response status="success">
<result>
<key>0RgWc42Oi0vDx2WRUIUM6A</key>
</result>
</response>

Step 3

(Optional) Revoke or change an API key. 1.


For PAN-OS 4.1.0 and later releases,
2.
generating an API key using the same
administrator account credentials returns
unique API keys every time, and all of the 3.
keys are valid.
You can choose to revoke and then
4.
change an API key associated with an
administrator account by changing the
password associated with the
administrator account. Any API keys that
were generated using the previous
credentials would no longer be valid.

On the Device > Adminstrators tab, open the administrator


account associated with the API key.
Enter and confirm a new Password for the administrator
account.
Click OK and Commit.
Any API keys associated with the admin account prior to the
password change are revoked upon Commit.
(Optional) Use the updated administrator account credentials to
generate a new API key. See Step 2.

Example work flow using an API key:

Request an API key by entering the URL with the appropriate values in a web browser:
https://10.xx.10.50/esp/restapi.esp?type=keygen&user=admin&password=admin
Entering the URL displays an XML block that contains the API key:
<response status="success">
<result>
<key>0RgWc42Oi0vDx2WRUIUM6A</key>
</result>
</response>
Continue to use the API key to create API requests. For example, to generate a report:
https://10.xx.10.50/esp/restapi.esp?type=report&reporttype=dynamic&reportname
=top-app-summary&period=last-hour&topn=5&key=0RgWc42Oi0vDx2WRUIUM6A=

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 73

Manage Firewall Administrators

Device Management

Manage Firewall Administrators


Administrative accounts specify roles and authentication methods for the administrators of Palo Alto Networks
firewalls. Every Palo Alto Networks firewall has a predefined default administrative account (admin) that
provides full read-write access (also known as superuser access) to the firewall.
As a best practice, create a separate administrative account for each person who needs access
to the administrative or reporting functions of the firewall. This enables you to better protect the
firewall from unauthorized configuration and enables logging of the actions of individual
administrators.

Administrative Roles

Administrative Authentication

Configure Administrative Accounts and Authentication

74 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Manage Firewall Administrators

Administrative Roles
A role defines the type of access that an administrator has to the firewall.

Administrative Role Types

Configure an Admin Role Profile

Administrative Role Types


The role types are:

Dynamic RolesPredefined roles that provide read-write superuser, read-only superuser, read-write
device administrator, read-only device administrator, read-write virtual system administrator, and read-only
virtual system administrator access to the firewall. With dynamic roles, you dont have to worry about
updating the role definitions as new features are added; PAN-OS automatically updates dynamic roles.

Admin Role ProfilesCustom roles you can configure for more granular access control over the
functional areas of the web interface, CLI, and XML API. For example, you can create an Admin Role profile
for your operations staff that provides access to the firewall and network configuration areas of the web
interface and a separate profile for your security administrators that provides access to security policy
definitions, logs, and reports. Note that you must update Admin Role profiles to explicitly assign privileges
for new features/components that are added to the product. For details on the privileges you can configure
for custom administrator roles, see Reference: Web Interface Administrator Access.

Configure an Admin Role Profile


Admin Role profiles enable you to define granular administrative access privileges to ensure protection for
sensitive company information and privacy for end users. As a best practice, create Admin Role profiles that
allow administrators to access only the areas of the management interfaces that they require to perform their
jobs.
Configure an Admin Role Profile

Step 1

Select Device > Admin Roles and click Add.

Step 2

Enter a Name to identify the role.

Step 3

For the scope of the Role, select Device or Virtual System.

Step 4

In the Web UI and XML API tabs, click the icon for each functional area to toggle it to the desired setting: Enable,
Read Only, or Disable. For details on the Web UI options, see Web Interface Access Privileges.

Step 5

Select the Command Line tab and select a CLI access option. The Role scope controls the available options:
Device rolesuperuser, superreader, deviceadmin, devicereader, or None
Virtual System rolevsysadmin, vsysreader, or None

Step 6

Click OK to save the profile.

Step 7

Assign the role to an administrator. See Configure an Administrative Account.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 75

Manage Firewall Administrators

Device Management

Administrative Authentication
You can configure the following types of administrator authentication:
Account
Type

Authentication Description
Method

Local

Local database

Both the administrator account credentials and the authentication mechanisms are
local to the firewall. You can further secure a local administrator account by creating a
password profile that defines a validity period for passwords and by setting
firewall-wide password complexity settings. If your network supports Kerberos single
sign-on (SSO), you can configure local authentication as a fallback in case SSO fails.
For details, see Configure Kerberos SSO and External or Local Authentication for
Administrators.

Local

SSL-based

The administrator accounts are local to the firewall, but authentication is based on SSH
certificates (for CLI access) or client certificates (for web interface access). For details,
see Configure SSH Key-Based Administrator Authentication to the CLI and Configure
Certificate-Based Administrator Authentication to the Web Interface.

Local

External service The administrator accounts are local to the firewall, but external services (LDAP,
Kerberos, TACACS+, or RADIUS) handle the authentication functions. If your
network supports Kerberos single sign-on (SSO), you can configure external
authentication as a fallback in case SSO fails. For details, see Configure Kerberos SSO
and External or Local Authentication for Administrators.

External

External service An external RADIUS server handles account management and authentication. You
must define Vendor-Specific Attributes (VSAs) on your RADIUS server that map to
the administrator role, access domain, user group (if applicable), and virtual system (if
applicable). For details, see Configure RADIUS Vendor-Specific Attributes for
Administrator Authentication.

76 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Manage Firewall Administrators

Configure Administrative Accounts and Authentication

Configure an Administrative Account

Configure Kerberos SSO and External or Local Authentication for Administrators

Configure Certificate-Based Administrator Authentication to the Web Interface

Configure SSH Key-Based Administrator Authentication to the CLI

Configure RADIUS Vendor-Specific Attributes for Administrator Authentication

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 77

Manage Firewall Administrators

Device Management

Configure an Administrative Account


Administrative accounts specify roles and authentication methods for the administrators of Palo Alto Networks
firewalls.
Configure an Administrative Account

Step 1

Select Device > Administrators and click Add.

Step 2

Enter a user Name.

Step 3

Select an Authentication Profile or sequence if you configured either for the user. The default option None
specifies that the firewall will locally manage and authenticate the account without a local database; you must
enter and confirm the Password.

Step 4

Select the Administrator Type. If you configured a custom role for the user, select Role Based and select the
Admin Role Profile. Otherwise, select Dynamic (the default) and select a dynamic role.

Step 5

Click OK and Commit.

78 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Manage Firewall Administrators

Configure Kerberos SSO and External or Local Authentication for


Administrators
You can configure the firewall to first try Kerberos single sign-on (SSO) authentication and, if that fails, fall back
to External service or Local database authentication.
Configure Kerberos SSO and External or Local Authentication for Administrators

Step 1

Configure a Kerberos keytab for the


firewall.
Required for Kerberos SSO
authentication.

Step 2

Configure an Admin Role profile.

Create a Kerberos keytab. A keytab is a file that contains Kerberos


account information (principal name and hashed password) for the
firewall.

Configure an Admin Role Profile.

Required if you are assigning a custom


role to the administrator.
Step 3

Create the local database.

1.

Required for local database


authentication.

Add the user account:


a. Select Device > Local User Database > Users and click Add.
b. Enter a user Name for the administrator.
c. Enter a Password and Confirm Password.
d. Be sure the Enable check box is selected and click OK.

2.

(Optional) If the user is a member of a group, assign the user to


that group:
a. Select Device > Local User Database > User Groups and
click the Name of an existing group to edit it, or click Add to
create a new group.
b. Enter a Name to identify the group.
c. Click Add, select the user you just created, and click OK.

Step 4

Configure access to an external


authentication service.

Configure a server profile for the authentication service type:


Configure a RADIUS Server Profile.

Required for external authentication.

Configure a TACACS+ Server Profile.


Configure an LDAP Server Profile.
Configure a Kerberos Server Profile.

Step 5

Configure an authentication profile.

Configure an Authentication Profile and Sequence.

If your users are in multiple


Kerberos realms, create an
authentication profile for each
realm and assign all the profiles to
an authentication sequence. You
can then assign the same
authentication sequence to all user
accounts (Step 6).

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 79

Manage Firewall Administrators

Device Management

Configure Kerberos SSO and External or Local Authentication for Administrators (Continued)

Step 6

Configure an administrator account.

Configure an Administrative Account.


For local database authentication, specify the Name of the user
you defined in Step 3.
Assign the Authentication Profile or sequence and the Admin
Role Profile that you just created.

80 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Manage Firewall Administrators

Configure Certificate-Based Administrator Authentication to the Web


Interface
As a more secure alternative to password-based authentication to the web interface of a Palo Alto Networks
firewall, you can configure certificate-based authentication for administrator accounts that are local to the
firewall. Certificate-based authentication involves the exchange and verification of a digital signature instead of
a password.
Configuring certificate-based authentication for any administrator disables the
username/password logins for all administrators on the firewall; administrators thereafter require
the certificate to log in.

Configure Certificate-Based Administrator Authentication to the Web Interface

Step 1

Generate a certificate authority (CA)


certificate on the firewall.

Create a Self-Signed Root CA Certificate.


Alternatively, you can Import a Certificate and Private Key
from your enterprise CA.

You will use this CA certificate to sign the


client certificate of each administrator.
Step 2

Configure a certificate profile for securing Configure a Certificate Profile.


access to the web interface.
Set the Username Field to Subject.
Select Add in the CA Certificates section and select the CA
Certificate you just created or imported.

Step 3

Step 4

Configure the firewall to use the


certificate profile for authenticating
administrators.

1.

Configure the administrator accounts to


use client certificate authentication.

For each administrator who will access the firewall web interface,
Configure an Administrative Account. Select the Use only client
certificate authentication check box.

2.

Select Device > Setup > Management and edit the


Authentication Settings.
Select the Certificate Profile you just created and click OK.

If you have already deployed client certificates that your enterprise


CA generated, skip to Step 8. Otherwise, go to Step 5.
Step 5

Generate a client certificate for each


administrator.

Generate a Certificate on the Device. In the Signed By drop-down,


select the CA certificate you created.

Step 6

Export the client certificate.

1.
2.

Step 7

Import the client certificate into the client Refer to your web browser documentation.
system of each administrator who will
access the web interface.

Palo Alto Networks

Export a Certificate and Private Key.


Commit your changes. The firewall restarts and terminates your
login session. Thereafter, administrators can access the web
interface only from client systems that have the client certificate
you generated.

PAN-OS 7.0 Administrators Guide 81

Manage Firewall Administrators

Device Management

Configure Certificate-Based Administrator Authentication to the Web Interface (Continued)

Step 8

Verify that administrators can access the


web interface.

1.
2.
3.
4.

Open the firewall IP address in a browser on the computer that


has the client certificate.
When prompted, select the certificate you imported and click
OK. The browser displays a certificate warning.
Add the certificate to the browser exception list.
Click Login. The web interface should appear without
prompting you for a username or password.

Configure SSH Key-Based Administrator Authentication to the CLI


For administrators who use Secure Shell (SSH) to access the CLI of a Palo Alto Networks firewall, SSH keys
provide a more secure authentication method than passwords. SSH keys almost eliminate the risk of brute-force
attacks, provide the option for two-factor authentication (private key and passphrase), and dont send passwords
over the network. SSH keys also enable automated scripts to access the CLI.
Configure SSH Key-Based Administrator Authentication to the CLI

Step 1

Use an SSH key generation tool to create For the commands to generate the keypair, refer to your SSH client
an asymmetric keypair on the client
documentation.
system of the administrator.
The public key and private key are separate files. Save both to a
location that the firewall can access. For added security, enter a
The supported key formats are IETF
SECSH and Open SSH. The supported passphrase to encrypt the private key. The firewall prompts the
algorithms are DSA (1,024 bits) and RSA administrator for this passphrase during login.
(768-4,096 bits).

Step 2

Configure the administrator account to


use public key authentication.

1.

Configure an Administrative Account.


Configure the authentication method to use as a fallback if
SSH key authentication fails. If you configured an
Authentication Profile for the administrator, select it in the
drop-down. If you select None, you must enter a Password
and Confirm Password.
Select the Use Public Key Authentication (SSH) check box,
click Import Key, Browse to the public key you just
generated, and click OK.

2.
Step 3

Commit your changes.

Configure the SSH client to use the


Perform this task on the client system of the administrator. For the
private key to authenticate to the firewall. steps, refer to your SSH client documentation.

82 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Manage Firewall Administrators

Configure SSH Key-Based Administrator Authentication to the CLI (Continued)

Step 4

Verify that the administrator can access


the firewall CLI using SSH key
authentication.

1.
2.

Use a browser on the client system of the administrator to go


to the firewall IP address.
Log in to the firewall CLI as the administrator. After entering a
username, you will see the following output (the key value is an
example):
Authenticating with public key dsa-key-20130415

3.

If prompted, enter the passphrase you defined when creating


the keys.

Configure RADIUS Vendor-Specific Attributes for Administrator


Authentication
The following procedure provides an overview of the tasks required to use RADIUS Vendor-Specific Attributes
(VSAs) for administrator authentication to Palo Alto Networks firewalls. For detailed instructions, refer to the
following Knowledge Base articles:

For Windows 2003 Server, Windows 2008 (and later), and Cisco ACS 4.0RADIUS Vendor-Specific
Attributes (VSAs)

For Cisco ACS 5.2Configuring Cisco ACS 5.2 for use with Palo Alto VSA

Before starting this procedure, you must:

Create the administrative accounts in the directory service that your network uses (for example, Active
Directory).

Set up a RADIUS server that can communicate with that directory service.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 83

Manage Firewall Administrators

Device Management

Use RADIUS Vendor-Specific Attributes for Account Authentication

Step 1

Configure the firewall.

1.
2.

Configure an Admin Role Profile if the administrator will use a


custom role.
Configure an access domain if the firewall has more than one
virtual system (vsys):
a. Select Device > Access Domain, Add and access domain and
enter a Name to identify it.
b. Add each vsys that the administrator will access, and then
click OK.

3.
4.
5.

6.
Step 2

Configure the RADIUS server.

84 PAN-OS 7.0 Administrators Guide

1.
2.

Configure a RADIUS Server Profile.


Configure an authentication profile. Set the authentication
Type to RADIUS and assign the RADIUS Server Profile.
Configure the firewall to use the authentication profile for
administrator accessSelect Device > Setup > Management,
edit the Authentication Settings, and select the Authentication
Profile.
Click OK and Commit.
Add the firewall IP address or hostname as the RADIUS client.
Define the VSAs for administrator authentication. You must
specify the vendor code (25461 for Palo Alto Networks
firewalls) and the VSA name, number, and value: see RADIUS
Vendor-Specific Attributes for Palo Alto Networks Devices.

Palo Alto Networks

Device Management

Reference: Web Interface Administrator Access

Reference: Web Interface Administrator Access


You can configure privileges for an entire device or for one or more virtual systems (on platforms that support
multiple virtual systems). Within that Device or Virtual System designation, you can configure privileges for
custom administrator roles, which are more granular than the fixed privileges associated with a dynamic
administrator role.
Configuring privileges at a granular level ensures that lower level administrators cannot access certain
information. You can create custom roles for firewall administrators (see Configure an Administrative Account),
Panorama administrators, or Device Group and Template administrators (refer to the Panorama Administrators
Guide). The following topics describe the privileges you can configure for custom administrator roles.

Web Interface Access Privileges

Panorama Web Interface Access

Web Interface Access Privileges


If you want to prevent a role-based administrator from accessing specific tabs on the web interface, you can
disable the tab and the administrator will not even see it when logging in using the associated role-based
administrative account. For example, you could create an Admin Role Profile for your operations staff that
provides access to the Device and Network tabs only and a separate profile for your security administrators that
provides access to the Object, Policy, and Monitor tabs.
An admin role can apply at the Device level or Virtual System level; the choice is made in the Admin Role Profile
by clicking the Device or Virtual System radio button. If the Virtual System button is selected, the admin assigned
this profile is restricted to the virtual system(s) he or she is assigned to. Furthermore, only the Device > Setup >
Services > Virtual Systems tab is available to that admin, not the Global tab.
The following table describes the tab-level access privileges you can assign to the admin role profile at the Device
level. It also provides cross-references to additional tables that detail granular privileges within a tab.
You can also configure an admin role profile to:

Define User Privacy Settings in the Admin Role Profile

Restrict Admin Access to Commit Functions

Restrict Admin Access to Validate Functions

Provide Granular Access to Global Settings

Access Level

Description

Dashboard

Controls access to the Dashboard tab. If you disable Yes


this privilege, the administrator will not see the tab and
will not have access to any of the Dashboard widgets.

Palo Alto Networks

Enable

Read Only Disable


No

Yes

PAN-OS 7.0 Administrators Guide 85

Reference: Web Interface Administrator Access

Device Management

Access Level

Description

ACC

Controls access to the Application Command Center Yes


(ACC). If you disable this privilege, the ACC tab will not
display in the web interface. Keep in mind that if you
want to protect the privacy of your users while still
providing access to the ACC, you can disable the
Privacy > Show Full Ip Addresses option and/or the
Show User Names In Logs And Reports option.

No

Yes

Monitor

Controls access to the Monitor tab. If you disable this Yes


privilege, the administrator will not see the Monitor tab
and will not have access to any of the logs, packet
captures, session information, reports or to App Scope.
For more granular control over what monitoring
information the admin can see, leave the Monitor
option enabled and then enable or disable specific
nodes on the tab as described in Provide Granular
Access to the Monitor Tab.

No

Yes

Policies

Controls access to the Policies tab. If you disable this Yes


privilege, the administrator will not see the Policies tab
and will not have access to any policy information. For
more granular control over what policy information the
admin can see, for example to enable access to a
specific type of policy or to enable read-only access to
policy information, leave the Policies option enabled
and then enable or disable specific nodes on the tab as
described in Provide Granular Access to the Policy
Tab.

No

Yes

Objects

Controls access to the Objects tab. If you disable this Yes


privilege, the administrator will not see the Objects tab
and will not have access to any objects, security profiles,
log forwarding profiles, decryption profiles, or
schedules. For more granular control over what objects
the admin can see, leave the Objects option enabled
and then enable or disable specific nodes on the tab as
described in Provide Granular Access to the Objects
Tab.

No

Yes

Network

Controls access to the Network tab. If you disable this Yes


privilege, the administrator will not see the Network
tab and will not have access to any interface, zone,
VLAN, virtual wire, virtual router, IPsec tunnel,
DHCP, DNS Proxy, GlobalProtect, or QoS
configuration information or to the network profiles.
For more granular control over what objects the admin
can see, leave the Network option enabled and then
enable or disable specific nodes on the tab as described
in Provide Granular Access to the Network Tab.

No

Yes

86 PAN-OS 7.0 Administrators Guide

Enable

Read Only Disable

Palo Alto Networks

Device Management

Reference: Web Interface Administrator Access

Access Level

Description

Enable

Device

Controls access to the Device tab. If you disable this Yes


privilege, the administrator will not see the Device tab
and will not have access to any device-wide
configuration information, such as User-ID, High
Availability, server profile or certificate configuration
information. For more granular control over what
objects the admin can see, leave the Objects option
enabled and then enable or disable specific nodes on
the tab as described in Provide Granular Access to the
Device Tab.

Read Only Disable


No

Yes

You cannot enable access to the Admin Roles


or Administrators nodes for a role-based
administrator even if you enable full access to
the Device tab.

Provide Granular Access to the Monitor Tab


In some cases you might want to enable the administrator to view some but not all areas of the Monitor tab. For
example, you might want to restrict operations administrators to the Config and System logs only, because they
do not contain sensitive user data. Although this section of the admin role definition specifies what areas of the
Monitor tab the administrator can see, you can also couple privileges in this section with privacy privileges, such
as disabling the ability to see usernames in logs and reports. One thing to keep in mind, however, is that any
system-generated reports will still show usernames and IP addresses even if you disable that functionality in the
role. For this reason, if you do not want the administrator to see any of the private user information, disable
access to the specific reports as detailed in the following table.
The following table lists the Monitor tab access levels and the administrator roles for which they are available.
Device Group and Template roles can see log data only for the device groups that are within the
access domains assigned to those roles.

Access Level Description

Monitor

Admin Role Availability

Enable Read
Only

Yes
Enables or disables access to the Monitor Firewall: Yes
tab. If disabled, the admin will not see this Panorama: Yes
tab or any of the associated logs or reports.
Device Group/Template: Yes

Palo Alto Networks

No

Disable

Yes

PAN-OS 7.0 Administrators Guide 87

Reference: Web Interface Administrator Access

Access Level Description

Device Management

Admin Role Availability

Enable Read
Only

Disable

Logs

Yes
Enables or disables access to all log files.
Firewall: Yes
You can also leave this privilege enabled
Panorama: Yes
and then disable specific logs that you do
not want the admin to see. Keep in mind Device Group/Template: Yes
that if you want to protect the privacy of
your users while still providing access to
one or more of the logs, you can disable the
Privacy > Show Full Ip Addresses option
and/or the Show User Names In Logs And
Reports option.

No

Yes

Traffic

Specifies whether the admin can see the


traffic logs.

Yes

No

Yes

Yes

No

Yes

Yes

No

Yes

WildFire
Submissions

Yes
Specifies whether the admin can see the
Firewall: Yes
WildFire logs. These logs are only available Panorama: Yes
if you have a WildFire subscription.
Device Group/Template: Yes

No

Yes

Data Filtering

Specifies whether the admin can see the


data filtering logs.

Yes

No

Yes

HIP Match

Yes
Specifies whether the admin can see the
Firewall: Yes
HIP Match logs. HIP Match logs are only Panorama: Yes
available if you have a GlobalProtect portal
Device Group/Template: Yes
license and gateway subscription.

No

Yes

Configuration

Specifies whether the admin can see the


configuration logs.

Yes

No

Yes

Yes

No

Yes

Firewall: Yes
Panorama: Yes
Device Group/Template: Yes

Threat

Specifies whether the admin can see the


threat logs.

Firewall: Yes
Panorama: Yes
Device Group/Template: Yes

URL Filtering

Specifies whether the admin can see the


URL filtering logs.

Firewall: Yes
Panorama: Yes
Device Group/Template: Yes

Firewall: Yes
Panorama: Yes
Device Group/Template: Yes

Firewall: Yes
Panorama: Yes
Device Group/Template: No

System

Specifies whether the admin can see the


system logs.

Firewall: Yes
Panorama: Yes
Device Group/Template: No

88 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Access Level Description

Alarms

Specifies whether the admin can see


system-generated alarms.

Reference: Web Interface Administrator Access

Admin Role Availability

Enable Read
Only

Disable

Firewall: Yes

Yes

No

Yes

Yes

No

Yes

Yes

No

Yes

Yes

No

Yes

Yes

Yes

Yes

Panorama: Yes
Device Group/Template: Yes

Automated
Correlation
Engine
Correlation
Objects

Enables or disables access to the


correlation objects and correlated event
logs generated on the firewall.

Firewall: Yes

Specifies whether the admin can view and


enable/disable the correlation objects.

Firewall: Yes

Panorama: Yes
Device Group/Template: Yes
Panorama: Yes
Device Group/Template: Yes

Correlated
Events

Specifies whether the admin

Firewall: Yes
Panorama: Yes
Device Group/Template: Yes

Packet Capture Specifies whether the admin can see packet Firewall: Yes
captures (pcaps) from the Monitor tab.
Panorama: No

Keep in mind that packet captures are raw


flow data and as such may contain user IP Device Group/Template: No
addresses. Disabling the Show Full IP
Addresses privileges will not obfuscate the
IP address in the pcap and you should
therefore disable the Packet Capture
privilege if you are concerned about user
privacy.

App Scope

Yes
Specifies whether the admin can see the
Firewall: Yes
App Scope visibility and analysis tools.
Panorama: Yes
Enabling App Scope enables access to all of
Device Group/Template: Yes
the App Scope charts.

No

Yes

Session
Browser

Firewall: Yes
Specifies whether the admin can browse
and filter current running sessions on the Panorama: No
firewall. Keep in mind that the session
browser shows raw flow data and as such Device Group/Template: No
may contain user IP addresses. Disabling
the Show Full IP Addresses privileges will
not obfuscate the IP address in the session
browser and you should therefore disable
the Session Browser privilege if you are
concerned about user privacy.

No

Yes

Palo Alto Networks

Yes

PAN-OS 7.0 Administrators Guide 89

Reference: Web Interface Administrator Access

Access Level Description

Device Management

Admin Role Availability

Enable Read
Only

Disable

Yes

Yes

Yes

Botnet

Specifies whether the admin can generate Firewall: Yes


and view botnet analysis reports or view
Panorama: No
botnet reports in read-only mode.
Device Group/Template: No
Disabling the Show Full IP Addresses
privileges will not obfuscate the IP address
in scheduled botnet reports and you should
therefore disable the Botnet privilege if you
are concerned about user privacy.

PDF Reports

Yes
Enables or disables access to all PDF
Firewall: Yes
reports. You can also leave this privilege
Panorama: Yes
enabled and then disable specific PDF
reports that you do not want the admin to Device Group/Template: Yes
see. Keep in mind that if you want to
protect the privacy of your users while still
providing access to one or more of the
reports, you can disable the Privacy > Show
Full Ip Addresses option and/or the Show
User Names In Logs And Reports option.

No

Yes

Manage PDF
Summary

Yes
Specifies whether the admin can view, add Firewall: Yes
or delete PDF summary report definitions. Panorama: Yes
With read-only access, the admin can see
PDF summary report definitions, but not Device Group/Template: Yes
add or delete them. If you disable this
option, the admin can neither view the
report definitions nor add/delete them.

Yes

Yes

PDF Summary
Reports

Specifies whether the admin can see the


generated PDF Summary reports in
Monitor > Reports. If you disable this
option, the PDF Summary Reports
category will not display in the Reports
node.

No

Yes

Firewall: Yes

Yes

Panorama: Yes
Device Group/Template: Yes

User Activity
Report

Yes
Specifies whether the admin can view, add Firewall: Yes
or delete User Activity report definitions
Panorama: Yes
and download the reports. With read-only
Device Group/Template: Yes
access, the admin can see User Activity
report definitions, but not add, delete, or
download them. If you disable this option,
the admin cannot see this category of PDF
report.

Yes

Yes

Report Groups

Yes
Specifies whether the admin can view, add Firewall: Yes
or delete report group definitions. With
Panorama: Yes
read-only access, the admin can see report
Device Group/Template: Yes
group definitions, but not add or delete
them. If you disable this option, the admin
cannot see this category of PDF report.

Yes

Yes

90 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Reference: Web Interface Administrator Access

Access Level Description

Admin Role Availability

Enable Read
Only

Disable

Email
Scheduler

Yes
Specifies whether the admin can schedule Firewall: Yes
report groups for email. Because the
Panorama: Yes
generated reports that get emailed may
Device Group/Template: Yes
contain sensitive user data that is not
removed by disabling the Privacy > Show
Full Ip Addresses option and/or the Show
User Names In Logs And Reports options
and because they may also show log data to
which the admin does not have access, you
should disable the Email Scheduler option
if you have user privacy requirements.

Yes

Yes

Manage
Custom
Reports

Yes
Enables or disables access to all custom
Firewall: Yes
report functionality. You can also leave this Panorama: Yes
privilege enabled and then disable specific
custom report categories that you do not Device Group/Template: Yes
want the admin to be able to access. Keep
in mind that if you want to protect the
privacy of your users while still providing
access to one or more of the reports, you
can disable the Privacy > Show Full Ip
Addresses option and/or the Show User
Names In Logs And Reports option.

No

Yes

Yes

No

Yes

Yes

No

Yes

Yes

No

Yes

Reports that are scheduled to run


rather than run on demand will
show IP address and user
information. In this case, be sure to
restrict access to the corresponding
report areas. In addition, the custom
report feature does not restrict the
ability to generate reports that
contain log data contained in logs
that are excluded from the admin
role.
Application
Statistics

Data Filtering
Log

Threat Log

Specifies whether the admin can create a


custom report that includes data from the
application statistics database.

Firewall: Yes

Specifies whether the admin can create a


custom report that includes data from the
Data Filtering logs.

Firewall: Yes

Specifies whether the admin can create a


custom report that includes data from the
Threat logs.

Firewall: Yes

Palo Alto Networks

Panorama: Yes
Device Group/Template: Yes
Panorama: Yes
Device Group/Template: Yes
Panorama: Yes
Device Group/Template: Yes

PAN-OS 7.0 Administrators Guide 91

Reference: Web Interface Administrator Access

Access Level Description

Device Management

Admin Role Availability

Enable Read
Only

Disable

Specifies whether the admin can create a


custom report that includes data from the
Threat Summary database.

Firewall: Yes

Yes

No

Yes

Specifies whether the admin can create a


custom report that includes data from the
Traffic logs.

Firewall: Yes

Yes

No

Yes

Specifies whether the admin can create a


custom report that includes data from the
Traffic Summary database.

Firewall: Yes

Yes

No

Yes

Specifies whether the admin can create a


custom report that includes data from the
URL Filtering logs.

Firewall: Yes

Yes

No

Yes

Specifies whether the admin can create a


custom report that includes data from the
HIP Match logs.

Firewall: Yes

Yes

No

Yes

Specifies whether the admin can create a


custom report that includes data from the
WildFire logs.

Firewall: Yes

Yes

No

Yes

View
Scheduled
Custom
Reports

Specifies whether the admin can view a


custom report that has been scheduled to
generate.

Firewall: Yes

Yes

No

Yes

View
Predefined
Application
Reports

Yes
Specifies whether the admin can view
Firewall: Yes
Application Reports. Privacy privileges do Panorama: Yes
not impact reports available on the Monitor
> Reports node and you should therefore Device Group/Template: Yes
disable access to the reports if you have user
privacy requirements.

No

Yes

View
Predefined
Threat Reports

Yes
Specifies whether the admin can view
Firewall: Yes
Threat Reports. Privacy privileges do not Panorama: Yes
impact reports available on the Monitor >
Device Group/Template: Yes
Reports node and you should therefore
disable access to the reports if you have user
privacy requirements.

No

Yes

Threat
Summary

Traffic Log

Traffic
Summary

URL Log

Hipmatch

WildFire Log

92 PAN-OS 7.0 Administrators Guide

Panorama: Yes
Device Group/Template: Yes
Panorama: Yes
Device Group/Template: Yes
Panorama: Yes
Device Group/Template: Yes
Panorama: Yes
Device Group/Template: Yes
Panorama: Yes
Device Group/Template: Yes
Panorama: Yes
Device Group/Template: Yes
Panorama: Yes
Device Group/Template: Yes

Palo Alto Networks

Device Management

Reference: Web Interface Administrator Access

Access Level Description

Admin Role Availability

Enable Read
Only

Disable

View
Predefined
URL Filtering
Reports

Yes
Specifies whether the admin can view URL Firewall: Yes
Filtering Reports. Privacy privileges do not Panorama: Yes
impact reports available on the Monitor >
Device Group/Template: Yes
Reports node and you should therefore
disable access to the reports if you have user
privacy requirements.

No

Yes

View
Predefined
Traffic Reports

Yes
Specifies whether the admin can view
Firewall: Yes
Traffic Reports. Privacy privileges do not Panorama: Yes
impact reports available on the Monitor >
Device Group/Template: Yes
Reports node and you should therefore
disable access to the reports if you have user
privacy requirements.

No

Yes

Provide Granular Access to the Policy Tab


If you enable the Policy option in the admin role profile, you can then enable, disable, or provide read-only
access to specific nodes within the tab as necessary for the admin role you are defining. By enabling access to a
specific policy type, you enable the ability to view, add, or delete policy rules. By enabling read-only access to a
specific policy, you enable the admin to view the corresponding policy rule base, but not add or delete rules.
Disabling access to a specific type of policy prevents the admin from seeing the policy rule base.
Because policy that is based on specific users (by user name or IP address) must be explicitly defined, privacy
settings that disable the ability to see full IP addresses or user names do not apply to the Policy tab. Therefore,
you should only allow access to the Policy tab to administrators that are excluded from user privacy restrictions.
Access Level

Description

Security

Enable this privilege to allow the admin to view, add, Yes


and/or delete security rules. Set the privilege to
read-only if you want the admin to be able to see the
rules, but not modify them. To prevent the admin from
seeing the security rulebase, disable this privilege.

Yes

Yes

NAT

Enable this privilege to allow the admin to view, add, Yes


and/or delete NAT rules. Set the privilege to read-only
if you want the admin to be able to see the rules, but not
modify them. To prevent the admin from seeing the
NAT rulebase, disable this privilege.

Yes

Yes

QoS

Enable this privilege to allow the admin to view, add, Yes


and/or delete QoS rules. Set the privilege to read-only
if you want the admin to be able to see the rules, but not
modify them. To prevent the admin from seeing the
QoS rulebase, disable this privilege.

Yes

Yes

Palo Alto Networks

Enable

Read Only Disable

PAN-OS 7.0 Administrators Guide 93

Reference: Web Interface Administrator Access

Device Management

Access Level

Description

Enable

Read Only Disable

Policy Based Forwarding

Enable this privilege to allow the admin to view, add, Yes


and/or delete Policy-Based Forwarding (PBF) rules.
Set the privilege to read-only if you want the admin to
be able to see the rules, but not modify them. To
prevent the admin from seeing the PBF rulebase,
disable this privilege.

Yes

Yes

Decryption

Enable this privilege to allow the admin to view, add, Yes


and/or delete decryption rules. Set the privilege to
read-only if you want the admin to be able to see the
rules, but not modify them. To prevent the admin from
seeing the decryption rulebase, disable this privilege.

Yes

Yes

Application Override

Enable this privilege to allow the admin to view, add, Yes


and/or delete application override policy rules. Set the
privilege to read-only if you want the admin to be able
to see the rules, but not modify them. To prevent the
admin from seeing the application override rulebase,
disable this privilege.

Yes

Yes

Captive Portal

Enable this privilege to allow the admin to view, add, Yes


and/or delete Captive Portal rules. Set the privilege to
read-only if you want the admin to be able to see the
rules, but not modify them. To prevent the admin from
seeing the Captive Portal rulebase, disable this
privilege.

Yes

Yes

DoS Protection

Enable this privilege to allow the admin to view, add, Yes


and/or delete DoS protection rules. Set the privilege to
read-only if you want the admin to be able to see the
rules, but not modify them. To prevent the admin from
seeing the DoS protection rulebase, disable this
privilege.

Yes

Yes

Provide Granular Access to the Objects Tab


An object is a container that groups specific policy filter valuessuch as IP addresses, URLs, applications, or
servicesfor simplified rule definition. For example, an address object might contain specific IP address
definitions for the web and application servers in your DMZ zone.
When deciding whether to allow access to the objects tab as a whole, determine whether the admin will have
policy definition responsibilities. If not, the admin probably does not need access to the tab. If, however, the
admin will need to create policy, you can enable access to the tab and then provide granular access privileges at
the node level.
By enabling access to a specific node, you give the admin the privilege to view, add, and delete the corresponding
object type. Giving read-only access allows the admin to view the already defined objects, but not create or
delete any. Disabling a node prevents the admin from seeing the node in the web interface.

94 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Reference: Web Interface Administrator Access

Access Level

Description

Enable

Read Only Disable

Addresses

Specifies whether the admin can view, add, or delete


address objects for use in security policy.

Yes

Yes

Yes

Address Groups

Specifies whether the admin can view, add, or delete


address group objects for use in security policy.

Yes

Yes

Yes

Regions

Yes
Specifies whether the admin can view, add, or delete
regions objects for use in security, decryption, or DoS
policy.

Yes

Yes

Applications

Specifies whether the admin can view, add, or delete


application objects for use in policy.

Yes

Yes

Yes

Application Groups

Specifies whether the admin can view, add, or delete


application group objects for use in policy.

Yes

Yes

Yes

Application Filters

Specifies whether the admin can view, add, or delete


application filters for simplification of repeated
searches.

Yes

Yes

Yes

Services

Yes
Specifies whether the admin can view, add, or delete
service objects for use in creating policy rules that limit
the port numbers an application can use.

Yes

Yes

Service Groups

Specifies whether the admin can view, add, or delete


service group objects for use in security policy.

Yes

Yes

Yes

Tags

Specifies whether the admin can view, add, or delete


tags that have been defined on the device.

Yes

Yes

Yes

GlobalProtect

Yes
Specifies whether the admin can view, add, or delete
HIP objects and profiles. You can restrict access to
both types of objects at the GlobalProtect level, or
provide more granular control by enabling the
GlobalProtect privilege and restricting HIP Object or
HIP Profile access.

No

Yes

HIP Objects

Specifies whether the admin can view, add, or delete


HIP objects, which are used to define HIP profiles.
HIP Objects also generate HIP Match logs.

Yes

Yes

Yes

HIP Profiles

Specifies whether the admin can view, add, or delete


HIP Profiles for use in security policy and/or for
generating HIP Match logs.

Yes

Yes

Yes

Dynamic Block Lists

Specifies whether the admin can view, add, or delete


dynamic block lists for use in security policy.

Yes

Yes

Yes

Custom Objects

Yes
Specifies whether the admin can see the custom
spyware and vulnerability signatures. You can restrict
access to either enable or disable access to all custom
signatures at this level, or provide more granular
control by enabling the Custom Objects privilege and
then restricting access to each type of signature.

No

Yes

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 95

Reference: Web Interface Administrator Access

Device Management

Access Level

Description

Enable

Read Only Disable

Data Patterns

Specifies whether the admin can view, add, or delete


custom data pattern signatures for use in creating
custom Vulnerability Protection profiles.

Yes

Yes

Yes

Spyware

Specifies whether the admin can view, add, or delete


custom spyware signatures for use in creating custom
Vulnerability Protection profiles.

Yes

Yes

Yes

Vulnerability

Specifies whether the admin can view, add, or delete


custom vulnerability signatures for use in creating
custom Vulnerability Protection profiles.

Yes

Yes

Yes

URL Category

Specifies whether the admin can view, add, or delete


custom URL categories for use in policy.

Yes

Yes

Yes

Security Profiles

Specifies whether the admin can see security profiles. Yes


You can restrict access to either enable or disable access
to all security profiles at this level, or provide more
granular control by enabling the Security Profiles
privilege and then restricting access to each type of
profile.

No

Yes

Antivirus

Specifies whether the admin can view, add, or delete


antivirus profiles.

Yes

Yes

Yes

Anti-Spyware

Specifies whether the admin can view, add, or delete


Anti-Spyware profiles.

Yes

Yes

Yes

Vulnerability Protection

Specifies whether the admin can view, add, or delete


Vulnerability Protection profiles.

Yes

Yes

Yes

URL Filtering

Specifies whether the admin can view, add, or delete


URL filtering profiles.

Yes

Yes

Yes

File Blocking

Specifies whether the admin can view, add, or delete file Yes
blocking profiles.

Yes

Yes

Data Filtering

Specifies whether the admin can view, add, or delete


data filtering profiles.

Yes

Yes

Yes

DoS Protection

Specifies whether the admin can view, add, or delete


DoS protection profiles.

Yes

Yes

Yes

Security Profile Groups

Specifies whether the admin can view, add, or delete


security profile groups.

Yes

Yes

Yes

Log Forwarding

Specifies whether the admin can view, add, or delete log Yes
forwarding profiles.

Yes

Yes

Decryption Profile

Specifies whether the admin can view, add, or delete


decryption profiles.

Yes

Yes

Yes

Schedules

Yes
Specifies whether the admin can view, add, or delete
schedules for limiting a security policy to a specific date
and/or time range.

Yes

Yes

96 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Reference: Web Interface Administrator Access

Provide Granular Access to the Network Tab


When deciding whether to allow access to the Network tab as a whole, determine whether the admin will have
network administration responsibilities, including GlobalProtect administration. If not, the admin probably
does not need access to the tab.
You can also define access to the Network tab at the node level. By enabling access to a specific node, you give
the admin the privilege to view, add, and delete the corresponding network configurations. Giving read-only
access allows the admin to view the already-defined configuration, but not create or delete any. Disabling a node
prevents the admin from seeing the node in the web interface.
Access Level

Description

Enable

Read Only Disable

Interfaces

Specifies whether the admin can view, add, or delete


interface configurations.

Yes

Yes

Yes

Zones

Specifies whether the admin can view, add, or delete


zones.

Yes

Yes

Yes

VLANs

Specifies whether the admin can view, add, or delete


VLANs.

Yes

Yes

Yes

Virtual Wires

Specifies whether the admin can view, add, or delete


virtual wires.

Yes

Yes

Yes

Virtual Routers

Specifies whether the admin can view, add, modify or


delete virtual routers.

Yes

Yes

Yes

IPSec Tunnels

Specifies whether the admin can view, add, modify, or Yes


delete IPSec Tunnel configurations.

Yes

Yes

DHCP

Specifies whether the admin can view, add, modify, or Yes


delete DHCP server and DHCP relay configurations.

Yes

Yes

DNS Proxy

Specifies whether the admin can view, add, modify, or Yes


delete DNS proxy configurations.

Yes

Yes

GlobalProtect

Yes
Specifies whether the admin can view, add, modify
GlobalProtect portal and gateway configurations. You
can disable access to the GlobalProtect functions
entirely, or you can enable the GlobalProtect privilege
and then restrict the role to either the portal or gateway
configuration areas.

No

Yes

Portals

Specifies whether the admin can view, add, modify, or Yes


delete GlobalProtect portal configurations.

Yes

Yes

Gateways

Specifies whether the admin can view, add, modify, or Yes


delete GlobalProtect gateway configurations.

Yes

Yes

MDM

Specifies whether the admin can view add, modify, or


delete GlobalProtect MDM server configurations.

Yes

Yes

Yes

QoS

Specifies whether the admin can view add, modify, or


delete QoS configurations.

Yes

Yes

Yes

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 97

Reference: Web Interface Administrator Access

Device Management

Access Level

Description

Enable

Read Only Disable

LLDP

Specifies whether the admin can view add, modify, or


delete LLDP configurations.

Yes

Yes

Yes

Network Profiles

Sets the default state to enable or disable for all of the Yes
Network settings described below.

No

Yes

IKE Gateways

Controls access to the Network Profiles > IKE


Gateways node. If you disable this privilege, the
administrator will not see the IKE Gateways node or
define gateways that include the configuration
information necessary to perform IKE protocol
negotiation with peer gateway.

Yes

Yes

Yes

Yes

Yes

Yes

Yes
Controls access to the Network Profiles > IPSec
Crypto node. If you disable this privilege, the
administrator will not see the Network Profiles >
IPSec Crypto node or specify protocols and algorithms
for identification, authentication, and encryption in
VPN tunnels based on IPSec SA negotiation.

Yes

Yes

Yes

Yes

If the privilege state is set to read-only, you can view the


currently configured IKE Gateways but cannot add or
edit gateways.
GlobalProtect IPSec
Crypto

Controls access to the Network Profiles >


GlobalProtect IPSec Crypto node.
If you disable this privilege, the administrator will not
see that node, or configure algorithms for
authentication and encryption in VPN tunnels between
a GlobalProtect gateway and clients.
If you set the privilege to read-only, the administrator
can view existing GlobalProtect IPSec Crypto profiles
but cannot add or edit them.

IPSec Crypto

If the privilege state is set to read-only, you can view the


currently configured IPSec Crypto configuration but
cannot add or edit a configuration.
IKE Crypto

Controls how devices exchange information to ensure Yes


secure communication. Specify the protocols and
algorithms for identification, authentication, and
encryption in VPN tunnels based on IPsec SA
negotiation (IKEv1 Phase-1).

98 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Reference: Web Interface Administrator Access

Access Level

Description

Enable

Monitor

Yes
Controls access to the Network Profiles > Monitor
node. If you disable this privilege, the administrator will
not see the Network Profiles > Monitor node or be
able to create or edit a monitor profile that is used to
monitor IPSec tunnels and monitor a next-hop device
for policy-based forwarding (PBF) rules.

Read Only Disable


Yes

Yes

Yes

Yes

Yes

Yes
Controls access to the Network Profiles > Zone
Protection node. If you disable this privilege, the
administrator will not see the Network Profiles > Zone
Protection node or be able to configure a profile that
determines how the firewall responds to attacks from
specified security zones.

Yes

Yes

Yes

Yes

Yes

Yes

If the privilege state is set to read-only, you can view the


currently configured monitor profile configuration but
cannot add or edit a configuration.
Interface Mgmt

Controls access to the Network Profiles > Interface


Mgmt node. If you disable this privilege, the
administrator will not see the Network Profiles >
Interface Mgmt node or be able to specify the
protocols that are used to manage the firewall.
If the privilege state is set to read-only, you can view the
currently configured Interface management profile
configuration but cannot add or edit a configuration.

Zone Protection

If the privilege state is set to read-only, you can view the


currently configured Zone Protection profile
configuration but cannot add or edit a configuration.
QoS Profile

Controls access to the Network Profiles > QoS node. If Yes


you disable this privilege, the administrator will not see
the Network Profiles > QoS node or be able to
configure a QoS profile that determines how QoS
traffic classes are treated.
If the privilege state is set to read-only, you can view the
currently configured QoS profile configuration but
cannot add or edit a configuration.

LLDP Profile

Controls access to the Network Profiles > LLDP node. Yes


If you disable this privilege, the administrator will not
see the Network Profiles > LLDP node or be able to
configure an LLDP profile that controls whether the
interfaces on the firewall can participate in the Link
Layer Discovery Protocol.
If the privilege state is set to read-only, you can view the
currently configured LLDP profile configuration but
cannot add or edit a configuration.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 99

Reference: Web Interface Administrator Access

Device Management

Provide Granular Access to the Device Tab


Access Level

Description

Enable

Setup

Controls access to the Setup node. If you disable this Yes


privilege, the administrator will not see the Setup node
or have access to device-wide setup configuration
information, such as Management, Operations,
Service, Content-ID, Wildfire or Session setup
information.

Read Only Disable


Yes

Yes

If the privilege state is set to read-only, you can view the


current configuration but cannot make any changes.
Config Audit

Controls access to the Config Audit node. If you disable Yes


this privilege, the administrator will not see the Config
Audit node or have access to any device-wide
configuration information.

No

Yes

Admin Roles

Controls access to the Admin Roles node. This


function can only be allowed for read-only access.

No

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

If you disable this privilege, the administrator will not


see the Admin Roles node or have access to any
device-wide information concerning admin roles
configuration.
If you set this privilege to read-only, you can view the
configuration information for all admin roles
configured on the device.
Administrators

Controls access to the Administrators node. This


function can only be allowed for read-only access.
If you disable this privilege, the administrator will not
see the Administrators node or have access to
information about their own admin account.
If you set this privilege to read-only, the administrator
can view the configuration information for their own
admin account. They will not see any information
about other admin accounts configured on the device.

Virtual Systems

Controls access to the Virtual Systems node. If you


disable this privilege, the administrator will not see or
be able to configure virtual systems.
If the privilege state is set to read-only, you can view the
currently configured virtual systems but cannot add or
edit a configuration.

100 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Reference: Web Interface Administrator Access

Access Level

Description

Enable

Shared Gateways

Controls access to the Shared Gateways node. Shared Yes


gateways allow virtual systems to share a common
interface for external communications.

Read Only Disable


Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

If you disable this privilege, the administrator will not


see or be able to configure shared gateways.
If the privilege state is set to read-only, you can view the
currently configured shared gateways but cannot add or
edit a configuration.
User Identification

Controls access to the User Identification node. If you Yes


disable this privilege, the administrator will not see the
User Identification node or have access to device-wide
User Identification configuration information, such as
User Mapping, User-ID Agents, Service, Terminal
Services Agents, Group Mappings Settings or Captive
Portal Settings.
If you set this privilege to read-only, the administrator
can view configuration information for the device but
is not allowed to perform any configuration
procedures.

VM Information Source

Controls access to the VM Information Source node Yes


that allows you to configure the firewall/Windows
User-ID agent to collect VM inventory automatically.
If you disable this privilege, the administrator will not
see the VM Information Source node.
If you set this privilege to read-only, the administrator
can view the VM information sources configured but
cannot add, edit, or delete any sources.
This privilege is not available to Device Group
and Template administrators.

High Availability

Controls access to the High Availability node. If you Yes


disable this privilege, the administrator will not see the
High Availability node or have access to device-wide
high availability configuration information such as
General setup information or Link and Path
Monitoring.
If you set this privilege to read-only, the administrator
can view High Availability configuration information
for the device but is not allowed to perform any
configuration procedures.

Certificate Management

Palo Alto Networks

Sets the default state to enable or disable for all of the Yes
Certificate settings described below.

PAN-OS 7.0 Administrators Guide 101

Reference: Web Interface Administrator Access

Device Management

Access Level

Description

Enable

Certificates

Controls access to the Certificates node. If you disable Yes


this privilege, the administrator will not see the
Certificates node or be able to configure or access
information regarding Device Certificates or Default
Trusted Certificate Authorities.

Read Only Disable


Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

If you set this privilege to read-only, the administrator


can view Certificate configuration information for the
device but is not allowed to perform any configuration
procedures.
Certificate Profile

Controls access to the Certificate Profile node. If you Yes


disable this privilege, the administrator will not see the
Certificate Profile node or be able to create certificate
profiles.
If you set this privilege to read-only, the administrator
can view Certificate Profiles that are currently
configured for the device but is not allowed to create or
edit a certificate profile.

OCSP Responder

Controls access to the OCSP Responder node. If you Yes


disable this privilege, the administrator will not see the
OCSP Responder node or be able to define a server
that will be used to verify the revocation status of
certificates issues by the PAN-OS device.
If you set this privilege to read-only, the administrator
can view the OCSP Responder configuration for the
device but is not allowed to create or edit an OCSP
responder configuration.

SSL/TLS Service Profile

Controls access to the SSL/TLS Service Profile node. Yes


If you disable this privilege, the administrator will not
see the node or configure a profile that specifies a
certificate and a protocol version or range of versions
for device services that use SSL/TLS.
If you set this privilege to read-only, the administrator
can view existing SSL/TLS Service profiles but cannot
create or edit them.

Response Pages

Controls access to the Response Pages node. If you Yes


disable this privilege, the administrator will not see the
Response Page node or be able to define a custom
HTML message that is downloaded and displayed
instead of a requested web page or file.
If you set this privilege to read-only, the administrator
can view the Response Page configuration for the
device but is not allowed to create or edit a response
page configuration.

102 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Reference: Web Interface Administrator Access

Access Level

Description

Enable

Read Only Disable

Log Settings

Sets the default state to enable or disable for all of the Yes
Log settings described below.

No

Yes

System

Controls access to the Log Settings > System node. If Yes


you disable this privilege, the administrator will not see
the Log Settings > System node or be able to specify
the severity levels of the system log entries that are
logged remotely with Panorama and sent as SNMP
traps, syslog messages, and/or email notifications.

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

If you set this privilege to read-only, the administrator


can view the Log Settings > System configuration for
the device but is not allowed to create or edit a
configuration.
Config

Controls access to the Log Settings > Config node. If Yes


you disable this privilege, the administrator will not see
the Log Settings > Config node or be able to specify
the configuration log entries that are logged remotely
with Panorama, and sent as syslog messages and/or
email notification.
If you set this privilege to read-only, the administrator
can view the Log Settings > Config configuration for
the device but is not allowed to create or edit a
configuration.

HIP Match

Controls access to the Log Settings > HIP Match node. Yes
If you disable this privilege, the administrator will not
see the Log Settings > HIP Match node or be able to
specify the Host Information Profile (HIP) match log
settings that are used to provide information on
security rules that apply to GlobalProtect clients
If you set this privilege to read-only, the administrator
can view the Log Settings > HIP configuration for the
device but is not allowed to create or edit a
configuration.

Alarms

Controls access to the Log Settings > Alarms node. If Yes


you disable this privilege, the administrator will not see
the Log Settings > Alarms node or be able to configure
notifications that are generated when a security rule (or
group of rules) has been hit repeatedly in a set period
of time.
If you set this privilege to read-only, the administrator
can view the Log Settings > Alarms configuration for
the device but is not allowed to create or edit a
configuration.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 103

Reference: Web Interface Administrator Access

Device Management

Access Level

Description

Enable

Manage Logs

Yes
Controls access to the Log Settings > Manage Logs
node. If you disable this privilege, the administrator will
not see the Log Settings > Manage Logs node or be
able to clear the indicated logs.

Read Only Disable


Yes

Yes

If you set this privilege to read-only, the administrator


can view the Log Settings > Manage Logs information
but cannot clear any of the logs.
Server Profiles

Sets the default state to enable or disable for all of the Yes
Server Profiles settings described below.

No

Yes

SNMP Trap

Controls access to the Server Profiles > SNMP Trap Yes


node. If you disable this privilege, the administrator will
not see the Server Profiles > SNMP Trap node or be
able to specify one or more SNMP trap destinations to
be used for system log entries.

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

If you set this privilege to read-only, the administrator


can view the Server Profiles > SNMP Trap Logs
information but cannot specify SNMP trap
destinations.
Syslog

Controls access to the Server Profiles > Syslog node. Yes


If you disable this privilege, the administrator will not
see the Server Profiles > Syslog node or be able to
specify one or more syslog servers.
If you set this privilege to read-only, the administrator
can view the Server Profiles > Syslog information but
cannot specify syslog servers.

Email

Controls access to the Server Profiles > Email node. If Yes


you disable this privilege, the administrator will not see
the Server Profiles > Email node or be able to
configure an email profile that can be used to enable
email notification for system and configuration log
entries
If you set this privilege to read-only, the administrator
can view the Server Profiles > Email information but
cannot configure and email profile.

Netflow

Controls access to the Server Profiles > Netflow node. Yes


If you disable this privilege, the administrator will not
see the Server Profiles > Netflow node or be able to
define a NetFlow server profile, which specifies the
frequency of the export along with the NetFlow servers
that will receive the exported data.
If you set this privilege to read-only, the administrator
can view the Server Profiles > Netflow information
but cannot define a Netflow profile.

104 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Reference: Web Interface Administrator Access

Access Level

Description

Enable

RADIUS

Controls access to the Server Profiles > RADIUS node. Yes


If you disable this privilege, the administrator will not
see the Server Profiles > RADIUS node or be able to
configure settings for the RADIUS servers that are
identified in authentication profiles.

Read Only Disable


Yes

Yes

Yes

Yes

Yes

Controls access to the Server Profiles > LDAP node. If Yes


you disable this privilege, the administrator will not see
the Server Profiles > LDAP node or be able to
configure settings for the LDAP servers to use for
authentication by way of authentication profiles.

Yes

Yes

Yes

Yes

If you set this privilege to read-only, the administrator


can view the Server Profiles > RADIUS information
but cannot configure settings for the RADIUS servers.
TACACS+

Controls access to the Server Profiles > TACACS+


node.
If you disable this privilege, the administrator will not
see the node or configure settings for the TACACS+
servers that authentication profiles reference.
If you set this privilege to read-only, the administrator
can view existing TACACS+ server profiles but cannot
add or edit them.

LDAP

If you set this privilege to read-only, the administrator


can view the Server Profiles > LDAP information but
cannot configure settings for the LDAP servers.
Kerberos

Yes
Controls access to the Server Profiles > Kerberos
node. If you disable this privilege, the administrator will
not see the Server Profiles > Kerberos node or
configure a Kerberos server that allows users to
authenticate natively to a domain controller.

If you set this privilege to read-only, the administrator


can view the Server Profiles > Kerberos information
but cannot configure settings for Kerberos servers.
Local User Database

Sets the default state to enable or disable for all of the Yes
Local User Database settings described below.

No

Yes

Users

Controls access to the Local User Database > Users Yes


node. If you disable this privilege, the administrator will
not see the Local User Database > Users node or set
up a local database on the firewall to store
authentication information for remote access users,
device administrators, and captive portal users.

Yes

Yes

If you set this privilege to read-only, the administrator


can view the Local User Database > Users
information but cannot set up a local database on the
firewall to store authentication information.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 105

Reference: Web Interface Administrator Access

Device Management

Access Level

Description

Enable

User Groups

Controls access to the Local User Database > Users Yes


node. If you disable this privilege, the administrator will
not see the Local User Database > Users node or be
able to add user group information to the local
database.

Read Only Disable


Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

If you set this privilege to read-only, the administrator


can view the Local User Database > Users
information but cannot add user group information to
the local database.
Authentication Profile

Controls access to the Authentication Profile node. If Yes


you disable this privilege, the administrator will not see
the Authentication Profile node or be able to create or
edit authentication profiles that specify local database,
RADIUS, TACACS+, LDAP, or Kerberos settings that
can be assigned to administrator accounts.
If you set this privilege to read-only, the administrator
can view the Authentication Profile information but
cannot create or edit an authentication profile.

Authentication Sequence

Controls access to the Authentication Sequence node. Yes


If you disable this privilege, the administrator will not
see the Authentication Sequence node or be able to
create or edit an authentication sequence.
If you set this privilege to read-only, the administrator
can view the Authentication Profile information but
cannot create or edit an authentication sequence.

Access Domain

Yes
Controls access to the Access Domain node. If you
disable this privilege, the administrator will not see the
Access Domain node or be able to create or edit an
access domain.

If you set this privilege to read-only, the administrator


can view the Access Domain information but cannot
create or edit an access domain.
Scheduled Log Export

Controls access to the Scheduled Log Export node. If Yes


you disable this privilege, the administrator will not see
the Scheduled Log Export node or be able schedule
exports of logs and save them to a File Transfer
Protocol (FTP) server in CSV format or use Secure
Copy (SCP) to securely transfer data between the
device and a remote host.
If you set this privilege to read-only, the administrator
can view the Scheduled Log Export Profile
information but cannot schedule the export of logs.

106 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Reference: Web Interface Administrator Access

Access Level

Description

Enable

Software

Controls access to the Software node. If you disable Yes


this privilege, the administrator will not see the
Software node or view the latest versions of the
PAN-OS software available from Palo Alto Networks,
read the release notes for each version, and select a
release to download and install.

Read Only Disable


Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

If you set this privilege to read-only, the administrator


can view the Software information but cannot
download or install software.
GlobalProtect Client

Controls access to the GlobalProtect Client node. If Yes


you disable this privilege, the administrator will not see
the GlobalProtect Client node or view available
GlobalProtect releases, download the code or activate
the GlobalProtect agent.
If you set this privilege to read-only, the administrator
can view the available GlobalProtect Client releases
but cannot download or install the agent software.

Dynamic Updates

Controls access to the Dynamic Updates node. If you Yes


disable this privilege, the administrator will not see the
Dynamic Updates node or be able to view the latest
updates, read the release notes for each update, or
select an update to upload and install.
If you set this privilege to read-only, the administrator
can view the available Dynamic Updates releases, read
the release notes but cannot upload or install the
software.

Licenses

Controls access to the Licenses node. If you disable Yes


this privilege, the administrator will not see the
Licenses node or be able to view the licenses installed
or activate licenses.
If you set this privilege to read-only, the administrator
can view the installed Licenses, but cannot perform
license management functions.

Support

Controls access to the Support node. If you disable this Yes


privilege, the administrator will not see the Support
node or be able to access product and security alerts
from Palo Alto Networks or generate tech support or
stats dump files.
If you set this privilege to read-only, the administrator
can view the Support node and access product and
security alerts but cannot generate tech support or stats
dump files.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 107

Reference: Web Interface Administrator Access

Device Management

Access Level

Description

Enable

Master Key and


Diagnostics

Yes
Controls access to the Master Key and Diagnostics
node. If you disable this privilege, the administrator will
not see the Master Key and Diagnostics node or be
able to specify a master key to encrypt private keys on
the firewall.

Read Only Disable


Yes

Yes

If you set this privilege to read-only, the administrator


can view the Master Key and Diagnostics node and
view information about master keys that have been
specified but cannot add or edit a new master key
configuration.

Define User Privacy Settings in the Admin Role Profile


Access Level

Description

Enable

Read Only Disable

Privacy

Sets the default state to enable or disable for all of the Yes
privacy settings described below.

N/A

Yes

Show Full IP addresses

When set to disable, full IP addresses obtained by


traffic running through the Palo Alto firewall are not
shown in logs or reports. In place of the IP addresses
that are normally displayed, the relevant subnet is
displayed.

Yes

N/A

Yes

Yes

N/A

Yes

Scheduled reports that are displayed in the


interface through Monitor > Reports and
reports that are sent via scheduled emails will
still display full IP addresses. Because of this
exception, we recommend that the following
settings within the Monitor tab be set to disable:
Custom Reports, Application Reports, Threat
Reports, URL Filtering Reports, Traffic Reports
and Email Scheduler.
Show User Names in Logs When set to disable, user names obtained by traffic
and Reports
running through the Palo Alto Networks firewall are

not shown in logs or reports. Columns where the user


names would normally be displayed are empty.
Scheduled reports that are displayed in the interface
through Monitor > Reports or reports that are sent
via the email scheduler will still display user names.
Because of this exception, we recommend that the
following settings within the Monitor tab be set to
disable: Custom Reports, Application Reports,
Threat Reports, URL Filtering Reports, Traffic
Reports and Email Scheduler.

108 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Reference: Web Interface Administrator Access

Access Level

Description

Enable

View Pcap Files

Yes
When set to disable, packet capture files that are
normally available within the Traffic, Threat and Data
Filtering logs are not displayed.

Read Only Disable


N/A

Yes

Restrict Admin Access to Commit Functions


Restrict User Access Using the Commit Setting
Access Level

Description

Enable

Read Only Disable

Commit

When set to disable, an admin cannot commit any


changes to a configuration.

Yes

N/A

Yes

Restrict Admin Access to Validate Functions


Restrict User Access Using the Validate Setting
Access Level

Description

Enable

Read Only Disable

Validate

When set to disable, an admin cannot validate a


configuration.

Yes

N/A

Enable

Read Only Disable

Yes

Provide Granular Access to Global Settings


Restrict User Access Using the Global Settings
Access Level

Description

Global

Sets the default state to enable or disable for all of the Yes
global settings described below. In effect, this setting is
only for System Alarms at this time.

N/A

Yes

System Alarms

When set to disable, an admin cannot view or


acknowledge alarms that are generated.

N/A

Yes

Yes

Provide Granular Access to the Panorama Tab


The following table lists the Panorama tab access levels and the custom Panorama administrator roles for which
they are available. Firewall administrators cannot access any of these privileges.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 109

Reference: Web Interface Administrator Access

Access Level Description

Setup

Specifies whether the administrator can


view or edit Panorama setup information,
such as Management, Operations,
Services, WildFire, or HSM.

Device Management

Admin Role Availability

Enable

Read Disable
Only

Panorama: Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

No

Yes

Yes

Device Group/Template: No

If you set the privilege to:


read-only, the administrator can see the
information but cannot edit it.
disable this privilege, the administrator
cannot see or edit the information.
High Availability Specifies whether the administrator can

view and manage high availability (HA)


settings for the Panorama management
server.

Panorama: Yes
Device Group/Template: No

If you set this privilege to read-only, the


administrator can view HA configuration
information for the Panorama management
server but cant manage the configuration.
If you disable this privilege, the
administrator cant see or manage HA
configuration settings for the Panorama
management server.
Config Audit

Specifies whether the administrator can run Panorama: Yes


Panorama configuration audits. If you
Device Group/Template: No
disable this privilege, the administrator cant
run Panorama configuration audits.

Administrators

Specifies whether the administrator can


view Panorama administrator account
details.

Panorama: Yes
Device Group/Template: No

You cant enable full access to this function:


just read-only access. (Only Panorama
administrators with a dynamic role can add,
edit, or delete Panorama administrators.)
With read-only access, the administrator
can see information about his or her own
account but no other Panorama
administrator accounts.
If you disable this privilege, the
administrator cant see information about
any Panorama administrator account,
including his or her own.

110 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Access Level Description

Admin Roles

Specifies whether the administrator can


view Panorama administrator roles.

Reference: Web Interface Administrator Access

Admin Role Availability

Enable

Read Disable
Only

Panorama: Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Device Group/Template: No

You cant enable full access to this function:


just read-only access. (Only Panorama
administrators with a dynamic role can add,
edit, or delete custom Panorama roles.)
With read-only access, the administrator
can see Panorama administrator role
configurations but cant manage them.
If you disable this privilege, the
administrator cant see or manage
Panorama administrator roles.
Access Domain Specifies whether the administrator can

view, add, edit, delete, or clone access


domain configurations for Panorama
administrators. (This privilege controls
access only to the configuration of access
domains, not access to the device groups,
templates, and firewall contexts that are
assigned to access domains.)
If you set this privilege to read-only, the
administrator can view Panorama access
domain configurations but cant manage
them.
If you disable this privilege, the
administrator cant see or manage
Panorama access domain configurations.
Authentication
Profile

Specifies whether the administrator can


view, add, edit, delete, or clone
authentication profiles for Panorama
administrators.

Panorama: Yes
Device Group/Template: No
You assign access
domains to Device
Group and Template
administrators so they
can access the
configuration and
monitoring data within
the device groups,
templates, and firewall
contexts that are
assigned to those
access domains.
Panorama: Yes
Device Group/Template: No

If you set this privilege to read-only, the


administrator can view Panorama
authentication profiles but cant manage
them.
If you disable this privilege, the
administrator cant see or manage
Panorama authentication profiles.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 111

Reference: Web Interface Administrator Access

Access Level Description

Authentication
Sequence

Specifies whether the administrator can


view, add, edit, delete, or clone
authentication sequences for Panorama
administrators.

Device Management

Admin Role Availability

Enable

Read Disable
Only

Panorama: Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Device Group/Template: No

If you set this privilege to read-only, the


administrator can view Panorama
authentication sequences but cant manage
them.
If you disable this privilege, the
administrator cant see or manage
Panorama authentication sequences.
Managed
Devices

Specifies whether the administrator can


view, add, edit, tag, or delete firewalls as
managed devices, and install software or
content updates on them.

Panorama: Yes

Device Group/Template: Yes (No for


Device
Group
and
If you set this privilege to read-only, the
Template
administrator can see managed firewalls but
roles)
cant add, delete, tag, or install updates on
them.
If you disable this privilege, the
administrator cant view, add, edit, tag,
delete, or install updates on managed
firewalls.
This privilege applies only to the
Panorama > Managed Devices

page. An administrator with Device


Deployment privileges can still use
the Panorama > Device
Deployment pages to install
updates on managed firewalls.
Templates

Specifies whether the administrator can


view, edit, add, or delete templates and
template stacks.

Panorama: Yes

Yes

Device Group/Template: Yes (No for


Device
Device Group and
Group
If you set the privilege to read-only, the
Template
administrator can see template and stack
administrators can see and
configurations but cant manage them.
only the templates and Template
stacks that are within admins)
If you disable this privilege, the
the access domains
administrator cant see or manage template
assigned to those
and stack configurations.
administrators.

112 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Reference: Web Interface Administrator Access

Access Level Description

Device Groups

Specifies whether the administrator can


view, edit, add, or delete device groups.
If you set this privilege to read-only, the
administrator can see device group
configurations but cant manage them.
If you disable this privilege, the
administrator cant see or manage device
group configurations.

Managed
Collectors

Specifies whether the administrator can


view, edit, add, or delete managed
collectors.

Admin Role Availability

Enable

Read Disable
Only

Panorama: Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Device Group/Template: Yes


Device Group and
Template
administrators can
access only the device
groups that are within
the access domains
assigned to those
administrators.
Panorama: Yes
Device Group/Template: No

If you set this privilege to read-only, the


administrator can see managed collector
configurations but cant manage them.
If you disable this privilege, the
administrator cant view, edit, add, or delete
managed collector configurations.
This privilege applies only to the
Panorama > Managed Collectors

page. An administrator with Device


Deployment privileges can still use
the Panorama > Device
Deployment pages to install
updates on managed collectors.
Collector
Groups

Specifies whether the administrator can


Panorama: Yes
view, edit, add, or delete Collector Groups. Device Group/Template: No
If you set this privilege to read-only, the
administrator can see Collector Groups but
cant manage them.
If you disable this privilege, the
administrator cant see or manage Collector
Groups.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 113

Reference: Web Interface Administrator Access

Access Level Description

VMware
Service
Manager

Specifies whether the administrator can


view and edit VMware Service Manager
settings.

Device Management

Admin Role Availability

Enable

Read Disable
Only

Panorama: Yes

Yes

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Device Group/Template: No

If you set this privilege to read-only, the


administrator can see the settings but cant
perform any related configuration or
operational procedures.
If you disable this privilege, the
administrator cant see the settings or
perform any related configuration or
operational procedures.
Certificate
Management

Sets the default state, enabled or disabled,


for all of the Panorama certificate
management privileges.

Panorama: Yes

Certificates

Specifies whether the administrator can


view, edit, generate, delete, revoke, renew,
or export certificates. This privilege also
specifies whether the administrator can
import or export HA keys.

Panorama: Yes

Device Group/Template: No

Device Group/Template: No

If you set this privilege to read-only, the


administrator can see Panorama certificates
but cant manage the certificates or HA
keys.
If you disable this privilege, the
administrator cant see or manage
Panorama certificates or HA keys.
Certificate
Profile

Specifies whether the administrator can


view, add, edit, delete or clone Panorama
certificate profiles.

Panorama: Yes
Device Group/Template: No

If you set this privilege to read-only, the


administrator can see Panorama certificate
profiles but cant manage them.
If you disable this privilege, the
administrator cant see or manage
Panorama certificate profiles.

114 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Reference: Web Interface Administrator Access

Access Level Description

SSL/TLS
Service Profile

Specifies whether the administrator can


view, add, edit, delete or clone SSL/TLS
Service profiles.

Admin Role Availability

Enable

Read Disable
Only

Panorama: Yes

Yes

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Device Group/Template: No

If you set this privilege to read-only, the


administrator can see SSL/TLS Service
profiles but cant manage them.
If you disable this privilege, the
administrator cant see or manage SSL/TLS
Service profiles.
Log Settings

System

Sets the default state, enabled or disabled,


for all the log setting privileges.

Panorama: Yes
Device Group/Template: No

Specifies whether the administrator can see Panorama: Yes


and configure the settings that control the Device Group/Template: No
forwarding of System logs to external
services (syslog, email, or SNMP trap
servers).
If you set this privilege to read-only, the
administrator can see the System log
forwarding settings but cant manage them.
If you disable this privilege, the
administrator cant see or manage the
settings.
On a Panorama M-Series appliance,
this privilege pertains only to
System logs that Panorama
generates. On a Panorama virtual
appliance, this privilege applies to
System logs that Panorama
generates and to System logs that
Panorama collects from firewalls.
The Panorama > Collector Groups
page controls the forwarding of
System logs that an M-Series
appliance collects from firewalls.
The Device > Log Settings page
controls the forwarding of System
logs directly from firewalls to
external services (without
aggregation on Panorama).

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 115

Reference: Web Interface Administrator Access

Access Level Description

Config

Device Management

Admin Role Availability

Specifies whether the administrator can see Panorama: Yes


and configure the settings that control the Device Group/Template: No
forwarding of Config logs to external
services (syslog, email, or SNMP trap
servers).

Enable

Read Disable
Only

Yes

Yes

Yes

If you set this privilege to read-only, the


administrator can see the Config log
forwarding settings but cant manage them.
If you disable this privilege, the
administrator cant see or manage the
settings.
On a Panorama M-Series appliance,
this privilege pertains only to
Config logs that Panorama
generates. On a Panorama virtual
appliance, this privilege applies to
Config logs that Panorama
generates and to Config logs that
Panorama collects from firewalls.
The Panorama > Collector Groups
page controls the forwarding of
Config logs that an M-Series
appliance collects from firewalls.
The Device > Log Settings page
controls the forwarding of Config
logs directly from firewalls to
external services (without
aggregation on Panorama).

116 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Reference: Web Interface Administrator Access

Access Level Description

HIP Match

Admin Role Availability

Specifies whether the administrator can see Panorama: Yes


and configure the settings that control the Device Group/Template: No
forwarding of HIP Match logs from a
Panorama virtual appliance to external
services (syslog, email, or SNMP trap
servers).

Enable

Read Disable
Only

Yes

Yes

Yes

Yes

Yes

Yes

If you set this privilege to read-only, the


administrator can see the forwarding
settings of HIP Match logs but cant
manage them.
If you disable this privilege, the
administrator cant see or manage the
settings.
The Panorama > Collector Groups
page controls the forwarding of
HIP Match logs from a Panorama
M-Series appliance. The Device >
Log Settings page controls the
forwarding of HIP Match logs
directly from firewalls to external
services (without aggregation on
Panorama).
Correlation

Specifies whether the administrator can see Panorama: Yes


and configure the settings that control the Device Group/Template: No
forwarding of Correlation logs to external
services (syslog, email, or SNMP trap
servers).
If you set this privilege to read-only, the
administrator can see the Correlation log
forwarding settings but cant manage them.
If you disable this privilege, the
administrator cant see or manage the
settings.
The Panorama > Collector Groups
page controls the forwarding of
Correlation logs from a Panorama
M-Series appliance. The Device >
Log Settings page controls the
forwarding of Correlation logs
directly from firewalls to external
services (without aggregation on
Panorama).

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 117

Reference: Web Interface Administrator Access

Access Level Description

Traffic

Device Management

Admin Role Availability

Specifies whether the administrator can see Panorama: Yes


and configure the settings that control the Device Group/Template: No
forwarding of Traffic logs from a Panorama
virtual appliance to external services
(syslog, email, or SNMP trap servers).

Enable

Read Disable
Only

Yes

Yes

Yes

Yes

Yes

Yes

If you set this privilege to read-only, the


administrator can see the forwarding
settings of Traffic logs but cant manage
them.
If you disable this privilege, the
administrator cant see or manage the
settings.
The Panorama > Collector Groups
page controls the forwarding of
Traffic logs from a Panorama
M-Series appliance. The Objects >
Log Forwarding page controls the
forwarding of Traffic logs directly
from firewalls to external services
(without aggregation on Panorama).
Threat

Specifies whether the administrator can see Panorama: Yes


and configure the settings that control the Device Group/Template: No
forwarding of Threat logs from a Panorama
virtual appliance to external services
(syslog, email, or SNMP trap servers).
If you set this privilege to read-only, the
administrator can see the forwarding
settings of Threat logs but cant manage
them.
If you disable this privilege, the
administrator cant see or manage the
settings.
The Panorama > Collector Groups
page controls the forwarding of
Threat logs from a Panorama
M-Series appliance. The Objects >
Log Forwarding page controls the
forwarding of Threat logs directly
from firewalls to external services
(without aggregation on Panorama).

118 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Reference: Web Interface Administrator Access

Access Level Description

Wildfire

Admin Role Availability

Specifies whether the administrator can see Panorama: Yes


and configure the settings that control the Device Group/Template: No
forwarding of WildFire logs from a
Panorama virtual appliance to external
services (syslog, email, or SNMP trap
servers).

Enable

Read Disable
Only

Yes

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

If you set this privilege to read-only, the


administrator can see the forwarding
settings of WildFire logs but cant manage
them.
If you disable this privilege, the
administrator cant see or manage the
settings.
The Panorama > Collector Groups
page controls the forwarding of
WildFire logs from a Panorama
M-Series appliance. The Objects >
Log Forwarding page controls the
forwarding of WildFire logs directly
from firewalls to external services
(without aggregation on Panorama).
Server Profiles

Sets the default state, enabled or disabled,


for all the server profile privileges.

Panorama: Yes
Device Group/Template: No

These privileges pertain only to the


server profiles that are used for
forwarding logs that Panorama
generates or collects from firewalls
and the server profiles that are used
for authenticating Panorama
administrators. The Device >
Server Profiles pages control the
server profiles that are used for
forwarding logs directly from
firewalls to external services
(without aggregation on Panorama)
and for authenticating firewall
administrators.
SNMP Trap

Specifies whether the administrator can see Panorama: Yes


and configure SNMP trap server profiles. Device Group/Template: No
If you set this privilege to read-only, the
administrator can see SNMP trap server
profiles but cant manage them.
If you disable this privilege, the
administrator cant see or manage SNMP
trap server profiles.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 119

Reference: Web Interface Administrator Access

Access Level Description

Syslog

Device Management

Admin Role Availability

Specifies whether the administrator can see Panorama: Yes


and configure Syslog server profiles.
Device Group/Template: No
If you set this privilege to read-only, the
administrator can see Syslog server profiles
but cant manage them.

Enable

Read Disable
Only

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

If you disable this privilege, the


administrator cant see or manage Syslog
server profiles.
Email

Specifies whether the administrator can see Panorama: Yes


and configure email server profiles.
Device Group/Template: No
If you set this privilege to read-only, the
administrator can see email server profiles
but cant manage them.
If you disable this privilege, the
administrator cant see or manage email
server profiles.

RADIUS

Specifies whether the administrator can see Panorama: Yes


and configure the RADIUS server profiles Device Group/Template: No
that are used to authenticate Panorama
administrators.
If you set this privilege to read-only, the
administrator can see the RADIUS server
profiles but cant manage them.
If you disable this privilege, the
administrator cant see or manage the
RADIUS server profiles.

TACACS+

Specifies whether the administrator can see Panorama: Yes


and configure the TACACS+ server
Device Group/Template: No
profiles that are used to authenticate
Panorama administrators.
If you disable this privilege, the
administrator cant see the node or
configure settings for the TACACS+
servers that authentication profiles
reference.
If you set this privilege to read-only, the
administrator can view existing TACACS+
server profiles but cant add or edit them.

120 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Access Level Description

LDAP

Reference: Web Interface Administrator Access

Admin Role Availability

Specifies whether the administrator can see Panorama: Yes


and configure the LDAP server profiles
Device Group/Template: No
that are used to authenticate Panorama
administrators.

Enable

Read Disable
Only

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

If you set this privilege to read-only, the


administrator can see the LDAP server
profiles but cant manage them.
If you disable this privilege, the
administrator cant see or manage the
LDAP server profiles.
Kerberos

Specifies whether the administrator can see Panorama: Yes


and configure the Kerberos server profiles Device Group/Template: No
that are used to authenticate Panorama
administrators.
If you set this privilege to read-only, the
administrator can see the Kerberos server
profiles but cant manage them.
If you disable this privilege, the
administrator cant see or manage the
Kerberos server profiles.

Scheduled
Config Export

Specifies whether the administrator can


view, add, edit, delete, or clone scheduled
Panorama configuration exports.

Panorama: Yes
Device Group/Template: No

If you set this privilege to read-only, the


administrator can view the scheduled
exports but cant manage them.
If you disable this privilege, the
administrator cant see or manage the
scheduled exports.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 121

Reference: Web Interface Administrator Access

Access Level Description

Software

Device Management

Admin Role Availability

Specifies whether the administrator can:


Panorama: Yes
view information about Panorama software Device Group/Template: No
updates; download, upload, or install the
updates; and view the associated release
notes.

Enable

Read Disable
Only

Yes

Yes

Yes

Yes

Yes

Yes

If you set this privilege to read-only, the


administrator can view information about
Panorama software updates and view the
associated release notes but cant perform
any related operations.
If you disable this privilege, the
administrator cant see Panorama software
updates, see the associated release notes, or
perform any related operations.
This privilege pertains only to
software installed on a Panorama
management server. The
Panorama > Device Deployment >
Software page controls access to

PAN-OS software deployed on


firewalls and Panorama software
deployed on Dedicated Log
Collectors.
Dynamic
Updates

Panorama: Yes
Specifies whether the administrator can:
view information about Panorama content Device Group/Template: No
updates (for example, WildFire updates);
download, upload, install, or revert the
updates; and view the associated release
notes.
If you set this privilege to read-only, the
administrator can view information about
Panorama content updates and view the
associated release notes but cant perform
any related operations.
If you disable this privilege, the
administrator cant see Panorama content
updates, see the associated release notes, or
perform any related operations.
This privilege pertains only to
content updates installed on a
Panorama management server. The
Panorama > Device Deployment >
Dynamic Updates page controls

access to content updates deployed


on firewalls and Dedicated Log
Collectors.

122 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Reference: Web Interface Administrator Access

Access Level Description

Support

Admin Role Availability

Enable

Read Disable
Only

Panorama: Yes

Yes

Yes

Yes

Yes

No

Yes

Yes
Panorama: Yes
Specifies whether the administrator can:
view information about the software
Device Group/Template: Yes
updates installed on firewalls and Log
Collectors; download, upload, or install the
updates; and view the associated release
notes.

Yes

Yes

Specifies whether the administrator can:


view Panorama support license
information, product alerts, and security
alerts; activate a support license, generate
Tech Support files, and manage cases

Device Group/Template: No

If you set this privilege to read-only, the


administrator can view Panorama support
information, product alerts, and security
alerts, but cant activate a support license,
generate Tech Support files, or manage
cases.
If you disable this privilege, the
administrator cant: see Panorama support
information, product alerts, or security
alerts; activate a support license, generate
Tech Support files, or manage cases.
Device
Deployment

Sets the default state, enabled or disabled,


for all the device deployment privileges.

Panorama: Yes
Device Group/Template: Yes

These privilege pertain only to


software and content updates that
Panorama administrators deploy on
firewalls and Dedicated Log
Collectors. The Panorama >
Software and Panorama >
Dynamic Updates pages control the
software and content updates
installed on a Panorama
management server.
Software

If you set this privilege to read-only, the


administrator can see information about
the software updates and view the
associated release notes but cant deploy the
updates to firewalls or dedicated Log
Collectors.
If you disable this privilege, the
administrator cant see information about
the software updates, see the associated
release notes, or deploy the updates to
firewalls or Dedicated Log Collectors.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 123

Reference: Web Interface Administrator Access

Device Management

Access Level Description

Admin Role Availability

Enable

Read Disable
Only

SSL VPN Client Specifies whether the administrator can:

Panorama: Yes

Yes

Yes

Yes

Yes
Panorama: Yes
Specifies whether the administrator can:
view information about GlobalProtect
Device Group/Template: Yes
agent/app software updates on firewalls;
download, upload, or activate the updates;
and view the associated release notes.

Yes

Yes

view information about SSL VPN client


software updates on firewalls; download,
upload, or activate the updates; and view
the associated release notes.

Device Group/Template: Yes

If you set this privilege to read-only, the


administrator can see information about
SSL VPN client software updates and view
the associated release notes but cant
activate the updates on firewalls.
If you disable this privilege, the
administrator cant see information about
SSL VPN client software updates, see the
associated release notes, or activate the
updates on firewalls.
GlobalProtect
Client

If you set this privilege to read-only, the


administrator can see information about
GlobalProtect agent/app software updates
and view the associated release notes but
cant activate the updates on firewalls.
If you disable this privilege, the
administrator cant see information about
GlobalProtect agent/app software updates,
see the associated release notes, or activate
the updates on firewalls.

124 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Access Level Description

Dynamic
Updates

Reference: Web Interface Administrator Access

Admin Role Availability

Enable

Yes
Specifies whether the administrator can:
Panorama: Yes
view information about the content
Device Group/Template: Yes
updates (for example, Applications
updates) installed on firewalls and
Dedicated Log Collectors; download,
upload, or install the updates; and view the
associated release notes.

Read Disable
Only
Yes

Yes

Yes

Yes

Yes

Yes

If you set this privilege to read-only, the


administrator can see information about
the content updates and view the associated
release notes but cant deploy the updates to
firewalls or Dedicated Log Collectors.
If you disable this privilege, the
administrator cant see information about
the content updates, see the associated
release notes, or deploy the updates to
firewalls or Dedicated Log Collectors.
Licenses

Yes
Specifies whether the administrator can
Panorama: Yes
view, refresh, and activate firewall licenses. Device Group/Template: Yes
If you set this privilege to read-only, the
administrator can view firewall licenses but
cant refresh or activate those licenses.

If you disable this privilege, the


administrator cant view, refresh, or activate
firewall licenses.
Master Key and Specifies whether the administrator can
Diagnostics
view and configure a master key by which

to encrypt private keys on Panorama.

Panorama: Yes

Yes

Device Group/Template: No

If you set this privilege to read-only, the


administrator can view the Panorama
master key configuration but cant change
it.
If you disable this privilege, the
administrator cant see or edit the Panorama
master key configuration.

Panorama Web Interface Access


The custom Panorama administrator roles allow you to define access to the options on Panorama and the ability
to only allow access to Device Groups and Templates (Policies, Objects, Network, Device tabs).

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 125

Reference: Web Interface Administrator Access

Device Management

The admin roles you can create are Panorama and Device Group and Template. You cant assign CLI access
privileges to a Device Group and Template admin role. If you assign superuser privileges for the CLI to a
Panorama admin role, administrators with that role can access all features regardless of the web interface
privileges you assign.
Access Level

Description

Dashboard

Controls access to the Dashboard tab. If you disable Yes


this privilege, the administrator will not see the tab and
will not have access to any of the Dashboard widgets.

No

Yes

ACC

Controls access to the Application Command Center Yes


(ACC). If you disable this privilege, the ACC tab will not
display in the web interface. Keep in mind that if you
want to protect the privacy of your users while still
providing access to the ACC, you can disable the
Privacy > Show Full Ip Addresses option and/or the
Show User Names In Logs And Reports option.

No

Yes

Monitor

Controls access to the Monitor tab. If you disable this Yes


privilege, the administrator will not see the Monitor tab
and will not have access to any of the logs, packet
captures, session information, reports or to App Scope.
For more granular control over what monitoring
information the admin can see, leave the Monitor
option enabled and then enable or disable specific
nodes on the tab as described in Provide Granular
Access to the Monitor Tab.

No

Yes

Policies

Controls access to the Policies tab. If you disable this Yes


privilege, the administrator will not see the Policies tab
and will not have access to any policy information. For
more granular control over what policy information the
admin can see, for example to enable access to a
specific type of policy or to enable read-only access to
policy information, leave the Policies option enabled
and then enable or disable specific nodes on the tab as
described in Provide Granular Access to the Policy
Tab.

No

Yes

Objects

Controls access to the Objects tab. If you disable this Yes


privilege, the administrator will not see the Objects tab
and will not have access to any objects, security profiles,
log forwarding profiles, decryption profiles, or
schedules. For more granular control over what objects
the admin can see, leave the Objects option enabled
and then enable or disable specific nodes on the tab as
described in Provide Granular Access to the Objects
Tab.

No

Yes

126 PAN-OS 7.0 Administrators Guide

Enable

Read Only Disable

Palo Alto Networks

Device Management

Reference: Web Interface Administrator Access

Access Level

Description

Enable

Read Only Disable

Network

Controls access to the Network tab. If you disable this Yes


privilege, the administrator will not see the Network
tab and will not have access to any interface, zone,
VLAN, virtual wire, virtual router, IPsec tunnel,
DHCP, DNS Proxy, GlobalProtect, or QoS
configuration information or to the network profiles.
For more granular control over what objects the admin
can see, leave the Network option enabled and then
enable or disable specific nodes on the tab as described
in Provide Granular Access to the Network Tab.

No

Yes

Device

Controls access to the Device tab. If you disable this Yes


privilege, the administrator will not see the Device tab
and will not have access to any device-wide
configuration information, such as User-ID, High
Availability, server profile or certificate configuration
information. For more granular control over what
objects the admin can see, leave the Device option
enabled and then enable or disable specific nodes on
the tab as described in Provide Granular Access to the
Device Tab.

No

Yes

Yes

No

Yes

Yes

N/A

Yes

You cant enable access to the Admin Roles or


Administrators nodes for a role-based
administrator even if you enable full access to
the Device tab.
Panorama

Controls access to the Panorama tab. If you disable


this privilege, the administrator will not see the
Panorama tab and will not have access to any
Panorama-wide configuration information, such as
Managed Devices, Managed Collectors, or Collector
Groups.
For more granular control over what objects the admin
can see, leave the Panorama option enabled and then
enable or disable specific nodes on the tab as described
in Provide Granular Access to the Panorama Tab.

Validate

Palo Alto Networks

When set to disable, an admin cannot validate a


configuration.

PAN-OS 7.0 Administrators Guide 127

Reference: Port Numbers Used by Palo Alto Networks Devices

Device Management

Reference: Port Numbers Used by Palo Alto Networks


Devices
The following tables list the ports that Palo Alto Networks devices use to communicate with each other, or with
other services on the network.

Ports Used for Management Functions

Ports Used for HA

Ports Used for Panorama

Ports Used for User-ID

Ports Used for Management Functions


Destination
Port

Protocol

Description

22

TCP

Used for communication from a client system to the firewall CLI interface.

80

TCP

The port the firewall listens on for Open Certificate Status Protocol (OCSP)
updates when acting as an OCSP responder.

123

UDP

Port the firewall uses for NTP updates.

443

TCP

Used for communication from a client system to the firewall web interface. This is
also the port the firewall and User-ID agent listens on for VM Information source
updates.
For monitoring an AWS environment, this is the only port that is used.
For monitoring a VMware vCenter/ESXi environment, the listening port defaults
to 443, but it is configurable.

162

UDP

Port the firewall, Panorama, or a Log Collector uses to Forward Traps to an SNMP
Manager.
This port doesnt need to be open on the Palo Alto Networks device. You
must configure the Simple Network Management Protocol (SNMP)
manager to listen on this port. For details, refer to the documentation of
your SNMP management software.

161

UDP

Port the firewall listens on for polling requests (GET messages) from the SNMP
manager.

514

TCP

514

UDP

6514

SSL

Port that the firewall, Panorama, or a Log Collector uses to send logs to a syslog
server if you Configure Syslog Monitoring, and the ports that the PAN-OS
integrated User-ID agent or Windows-based User-ID agent listens on for
authentication syslog messages if you Configure User-ID to Receive User Mappings
from a Syslog Sender.

2055

UDP

Default port the firewall uses to send NetFlow records to a NetFlow collector if you
Configure NetFlow Exports, but this is configurable.

128 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Reference: Port Numbers Used by Palo Alto Networks Devices

Destination
Port

Protocol

Description

5008

TCP

Port the GlobalProtect Mobile Security Manager listens on for HIP requests from
the GlobalProtect gateways.
If you are using a third-party MDM system, you can configure the gateway to use a
different port as required by the MDM vendor.

6080

TCP

6081

TCP

6082

TCP

Ports used for Captive Portal: 6080 for NT LAN Manager (NTLM) authentication,
6081 for Captive Portal in transparent mode, and 6082 for Captive Portal in redirect
mode.

Ports Used for HA


Firewalls configured as High Availability (HA) peers must be able to communicate with each other to maintain
state information (HA1 control link) and synchronize data (HA2 data link). In Active/Active HA deployments
the peer firewalls must also forward packets to the HA peer that owns the session. The HA3 link is a Layer 2
(MAC-in-MAC) link and it does not support Layer 3 addressing or encryption.
Destination
Port

Protocol

Description

28769

TCP

28260

TCP

Used for the HA1 control link for clear text communication between the HA peer
firewalls. The HA1 link is a Layer 3 link and requires an IP address.

28

TCP

Used for the HA1 control link for encrypted communication (SSH over TCP)
between the HA peer firewalls.

28770

TCP

Listening port for HA1 backup links.

28771

TCP

Used for heartbeat backups. Palo Alto Networks recommends enabling heartbeat
backup on the MGT interface if you use an in-band port for the HA1 or the HA1
backup links.

99

IP

29281

UDP

Used for the HA2 link to synchronize sessions, forwarding tables, IPSec security
associations and ARP tables between firewalls in an HA pair. Data flow on the HA2
link is always unidirectional (except for the HA2 keep-alive); it flows from the active
device (Active/Passive) or active-primary (Active/Active) to the passive device
(Active/Passive) or active-secondary (Active/Active). The HA2 link is a Layer 2
link, and it uses ether type 0x7261 by default.
The HA data link can also be configured to use either IP (protocol number 99) or
UDP (port 29281) as the transport, and thereby allow the HA data link to span
subnets.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 129

Reference: Port Numbers Used by Palo Alto Networks Devices

Device Management

Ports Used for Panorama


Destination Port

Protocol

Description

22

TCP

Used for communication from a client system to the Panorama CLI interface.

443

TCP

Used for communication from a client system to the Panorama web interface.

3978

TCP

Used for communication between Panorama and managed devices (firewalls and
Log Collectors) as well as for communication among Log Collectors in a Collector
Group:
For communication between Panorama and firewalls, this is a bi-directional
connection on which the firewalls forward logs to Panorama and Panorama
pushes configuration changes to the firewalls. Context switching commands are
sent over the same connection.
Log Collectors use this destination port to forward logs to Panorama.
For communication with the default Log Collector on an M-Series appliance in
Panorama mode and with Dedicated Log Collectors (M-Series appliances in Log
Collector mode).
Used for the HA connectivity and synchronization between Panorama HA peers
using clear text communication. Communication can be initiated by either peer.

28769 (5.1 and later)

TCP

28260 (5.0 and later)

TCP

49160 (5.0 and earlier)

TCP

28

TCP

Used for the HA connectivity and synchronization between Panorama HA peers


using encrypted communication (SSH over TCP). Communication can be initiated
by either peer.

28270 (6.0 and later)

TCP

Used for communication among Log Collectors in a Collector Group for log
distribution.

TCP

Used by the Panorama virtual appliance to write logs to the NFS datastore.

49190 (5.1 and earlier)


2049

130 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Reference: Port Numbers Used by Palo Alto Networks Devices

Ports Used for User-ID


User-ID is a feature that enables mapping of user IP addresses to usernames and group memberships, enabling
user- or group-based policy and visibility into user activity on your network (for example, to be able to quickly
track down a user who may be the victim of a threat). To perform this mapping, the firewall, the User-ID agent
(either installed on a Windows-based system or the PAN-OS integrated agent running on the firewall), and/or
the Terminal Services agent must be able to connect to directory services on your network to perform Group
Mapping and User Mapping. Additionally, if the agents are running on systems external to the firewall, they must
be able to connect to the firewall to communicate the IP address to username mappings to the firewall. The
following table lists the communication requirements for User-ID along with the port numbers required to
establish connections.
Destination
Port

Protocol

Description

389

TCP

Port the firewall uses to connect to an LDAP server (plaintext or Start Transport
Layer Security (Start TLS) to Map Users to Groups.

3268

TCP

Port the firewall uses to connect to an Active Directory global catalog server
(plaintext or Start TLS) to Map Users to Groups.

636

TCP

Port the firewall uses for LDAP over SSL connections with an LDAP server to Map
Users to Groups.

3269

TCP

Port the firewall uses for LDAP over SSL connections with an Active Directory
global catalog server to Map Users to Groups.

514

TCP

514

UDP

Port the PAN-OS integrated User-ID agent or Windows-based User-ID agent


listens on for authentication syslog messages if you Configure User-ID to Receive
User Mappings from a Syslog Sender.

6514

SSL

5007

TCP

Port the firewall listens on for user mapping information from the User-ID or
Terminal Services agent. The agent sends the IP address and username mapping
along with a timestamp whenever it learns of a new or updated mapping. In
addition, it connects to the firewall at regular intervals to refresh known mappings.

5006

TCP

Port the User-ID agent listens on for User-ID XML API requests. The source for
this communication is typically the system running a script that invokes the API.

88

UDP/TCP

Port the User-ID agent uses to authenticate to a Kerberos server. The device tries
UDP first and falls back to TCP.

1812

UDP

Port the User-ID agent uses to authenticate to a RADIUS server.

49

TCP

Port the User-ID agent uses to authenticate to a TACACS+ server.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 131

Reference: Port Numbers Used by Palo Alto Networks Devices

Device Management

Destination
Port

Protocol

Description

135

TCP

Port the User-ID agent uses to establish TCP-based WMI connections with the
Microsoft Remote Procedure Call (RPC) Endpoint Mapper. The Endpoint Mapper
then assigns the agent a randomly assigned port in the 49152-65535 port range. The
agent uses this connection to make RPC queries for Exchange Server or AD server
security logs, session tables. This is also the port used to access Terminal Services.
The User-ID agent also uses this port to connect to client systems to perform
Windows Management Instrumentation (WMI) probing.

139

TCP

Port the User-ID agent uses to establish TCP-based NetBIOS connections to the
AD server so that it can send RPC queries for security logs and session information.
The User-ID agent also uses this port to connect to client systems for NetBIOS
probing (supported on the Windows-based User-ID agent only).

445

TCP

Port the User-ID agent uses to connect to the Active Directory (AD) using
TCP-based SMB connections to the AD server for access to user logon
information (print spooler and Net Logon).

132 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Device Management

Reset the Firewall to Factory Default Settings

Reset the Firewall to Factory Default Settings


Resetting the firewall to factory defaults will result in the loss of all configuration settings and logs.
Reset the Firewall to Factory Default Settings

Step 1

Set up a console connection to the


firewall.

1.

Connect a serial cable from your computer to the Console port


and connect to the firewall using terminal emulation software
(9600-8-N-1).
If your computer does not have a 9-pin serial port, use a
USB-to-serial port connector.

2.
3.

Enter your login credentials.


Enter the following CLI command:
debug system maintenance-mode

The firewall will reboot in the maintenance mode.


Step 2

Reset the system to factory default


settings.

Palo Alto Networks

1.

When the device reboots, press Enter to continue to the


maintenance mode menu.

2.
3.

Select Factory Reset and press Enter.


Select Factory Reset and press Enter again.
The firewall will reboot without any configuration settings. The
default username and password to log in to the firewall is
admin/admin.
To perform initial configuration on the firewall and to set up
network connectivity, see Integrate the Firewall into Your
Management Network.

PAN-OS 7.0 Administrators Guide 133

Reset the Firewall to Factory Default Settings

134 PAN-OS 7.0 Administrators Guide

Device Management

Palo Alto Networks

Authentication
Many of the services that Palo Alto Networks devices provide require authentication, including administrator
access to the web interface and end user access to Captive Portal, GlobalProtect portals, and GlobalProtect
gateways. The authentication methods that you can configure vary by service, and can include Kerberos single
sign-on (SSO), external authentication services, certificates and certificate profiles, local database accounts,
RADIUS Vendor-Specific Attributes (VSAs), and NT LAN Manager (NTLM).
The following topics describe authentication methods that are common to most device services, procedures to
configure them, how to test authentication profiles, and how to troubleshoot authentication issues:

Configure Kerberos Single Sign-On

Configure External Authentication

Test Authentication Server Connectivity

Troubleshoot Authentication Issues

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 135

Configure Kerberos Single Sign-On

Authentication

Configure Kerberos Single Sign-On


Palo Alto Networks devices support Kerberos V5 single sign-on (SSO) to authenticate administrators to the
web interface and end users to Captive Portal. A network that supports Kerberos SSO prompts a user to log in
only for initial access to the network (for example, logging in to Microsoft Windows). After this initial login, the
user can access any browser-based service in the network (for example, the firewall web interface) without
having to log in again until the SSO session expires. (Your Kerberos administrator sets the duration of SSO
sessions.) If you enable both Kerberos SSO and external authentication services (for example, a RADIUS
server), the device first tries SSO and, only if that fails, falls back to the external service for authentication.
To support Kerberos SSO, your network requires:

A Kerberos infrastructure, including a key distribution center (KDC) with an authentication server (AS)
and ticket-granting service (TGS).

A Kerberos account for each Palo Alto Networks device that will authenticate users. An account is
required to create a Kerberos keytab, which is a file that contains the principal name and hashed password
of the device. The SSO process requires the keytab.

Configure Kerberos Single Sign-On

Step 1

Create a Kerberos keytab.

1.
2.

Log in to the KDC and open a command prompt.


Enter the following command, where <principal_name>,
<password>, and <algorithm> are variables. The Kerberos
principal name and password are of the device, not the user.

ktpass /princ <principal_name> /pass <password>


/crypto <algorithm> /ptype KRB5_NT_PRINCIPAL /out
<file_name>.keytab

If the device is in FIPS or CC mode, the algorithm must


be aes128-cts-hmac-sha1-96 or
aes256-cts-hmac-sha1-96. Otherwise, you can also
use des3-cbc-sha1 or arcfour-hmac. To use an
Advanced Encryption Standard (AES) algorithm, the
functional level of the KDC must be Windows Server
2008 or later and you must enable AES encryption for
the device account.
The algorithm in the keytab must match the algorithm
in the service ticket that the TGS issues to clients. Your
Kerberos administrator determines which algorithms
the service tickets use.
Step 2

Import the keytab into an authentication Configure an authentication profile.


profile.
1. Enter the Kerberos Realm (usually the DNS domain of the
users, except that the realm is uppercase).
2. Import the Kerberos Keytab that you created for the device.

Step 3

Assign the authentication profile to the


user account or device service.

136 PAN-OS 7.0 Administrators Guide

Configure an administrator account.


Configure Captive Portal.

Palo Alto Networks

Authentication

Configure External Authentication

Configure External Authentication


Palo Alto Networks devices can use external servers for many services that require authentication, including
administrator access to the web interface and end user access to Captive Portal, GlobalProtect portals and
GlobalProtect gateways. The server protocols that Palo Alto Networks devices support include Lightweight
Directory Access Protocol (LDAP), Kerberos, Terminal Access Controller Access-Control System Plus
(TACACS+), and Remote Authentication Dial-In User Service (RADIUS). If you enable both external
authentication and Kerberos single sign-on (SSO), the device first tries SSO and, only if that fails, falls back to
the external server for authentication. To configure external authentication, you create an authentication server
profile, assign it to an authentication profile, and then enable authentication for an administrator account or
device service by assigning the authentication profile to it.

Configure Authentication Server Profiles

Configure an Authentication Profile and Sequence

Enable External Authentication for Users and Services

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 137

Configure External Authentication

Authentication

Configure Authentication Server Profiles

Configure a RADIUS Server Profile

RADIUS Vendor-Specific Attributes for Palo Alto Networks Devices

Configure a TACACS+ Server Profile

Configure an LDAP Server Profile

Configure a Kerberos Server Profile

CHAP and PAP Authentication for RADIUS and TACACS+ Servers

138 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Authentication

Configure External Authentication

Configure a RADIUS Server Profile


You can configure Palo Alto Networks devices to use a RADIUS server for authenticating users, managing
administrator accounts (if they are not local), and collecting RADIUS Vendor-Specific Attributes (VSAs) from
GlobalProtect clients. To use a RADIUS server for managing administrator accounts or collecting
GlobalProtect clients VSAs, you must define VSAs on the RADIUS server. For details, see the list of supported
RADIUS Vendor-Specific Attributes for Palo Alto Networks Devices.
When authenticating to the RADIUS server, the device first tries Challenge-Handshake
Authentication Protocol (CHAP) and falls back to Password Authentication Protocol (PAP) under
certain conditions. For details on these protocols, see CHAP and PAP Authentication for RADIUS
and TACACS+ Servers.

Configure a RADIUS Server Profile

Step 1

Select Device > Server Profiles > RADIUS and click Add.

Step 2

Enter a Profile Name to identify the server profile.

Step 3

For a firewall with more than one virtual system (vsys), select the Location (vsys or Shared) where the profile
is available.

Step 4

For the Timeout, enter an interval in seconds after which an authentication request times out (range is 1-30,
default is 3).

Step 5

Enter the number of automatic Retries following a Timeout before the request fails (range is 1-5, default is 3).

Step 6

For each RADIUS server, click Add and enter a Name (to identify the server), server IP address or FQDN
(RADIUS Server field), Secret/Confirm Secret (a key to encrypt passwords), and server Port for authentication
requests (default is 1812).

Step 7

Click OK and Commit.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 139

Configure External Authentication

Authentication

RADIUS Vendor-Specific Attributes for Palo Alto Networks Devices


Palo Alto Networks devices support the following RADIUS Vendor-Specific Attributes (VSAs). To define
VSAs on a RADIUS server, you must specify the vendor code (25461 for Palo Alto Networks devices) and the
VSA name and number. Some VSAs also require a value.
Name

Number Value

VSAs for administrator account management and authentication

PaloAlto-Admin-Role

A default (dynamic) administrative role name or a custom


administrative role name on the firewall.

PaloAlto-Admin-Access-Domain

The name of an access domain for firewall administrators


(configured in the Device > Access Domains page). Define this
VSA if the firewall has multiple virtual systems.

PaloAlto-Panorama-Admin-Role

A default (dynamic) administrative role name or a custom


administrative role name on Panorama.

PaloAlto-Panorama-Admin-Access-Domain 4

The name of an access domain for Device Group and Template


administrators (configured in the Panorama > Access Domains
page).

PaloAlto-User-Group

The name of a user group that an authentication profile


references.

VSAs forwarded from GlobalProtect clients to the RADIUS server

PaloAlto-User-Domain

PaloAlto-Client-Source-IP

PaloAlto-Client-OS

PaloAlto-Client-Hostname

PaloAlto-GlobalProtect-Client-Version

10

140 PAN-OS 7.0 Administrators Guide

Dont specify a value when you define these VSAs.

Palo Alto Networks

Authentication

Configure External Authentication

Configure a TACACS+ Server Profile


Terminal Access Controller Access-Control System Plus (TACACS+) protocol provides better Authentication
security than RADIUS because it encrypts usernames and passwords (instead of just passwords), and is also
more reliable (it uses TCP instead of UDP).
When authenticating to the TACACS+ server, the device first tries Challenge-Handshake
Authentication Protocol (CHAP) and falls back to Password Authentication Protocol (PAP) under
certain conditions. For details on these protocols, see CHAP and PAP Authentication for RADIUS
and TACACS+ Servers.

Configure a TACACS+ Server Profile

Step 1

Select Device > Server Profiles > TACACS+ and click Add.

Step 2

Enter a Profile Name to identify the server profile.

Step 3

For a firewall with more than one virtual system (vsys), select the Location (vsys or Shared) where the profile
is available.

Step 4

For the Timeout, enter an interval in seconds after which an authentication request times out (range is 1-20,
default is 3).

Step 5

Select the Use single connection for all authentication check box to use the same TCP session for all
authentications that use this profile. This option improves performance by avoiding the need to start and end a
separate TCP session for each authentication. The check box is cleared by default.

Step 6

For each TACACS+ server, click Add and enter a Name (to identify the server), server IP address or FQDN
(TACACS+ Server field), Secret/Confirm Secret (a key to encrypt usernames and passwords), and server Port
for authentication requests (default is 49).

Step 7

Click OK and Commit.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 141

Configure External Authentication

Authentication

Configure an LDAP Server Profile


An LDAP server profile enables you to:

Authenticate administrators and end users of Palo Alto Networks devices.

Define security rules based on user or group. The LDAP server profile instructs the firewall how to connect
and authenticate to the server and how to search the directory for user and group information. You must
also configure User-ID to Map Users to Groups. Then you can select users or groups when defining policy
rules.

Configure an LDAP Server Profile

Step 1

Select Device > Server Profiles > LDAP and click Add.

Step 2

Enter a Profile Name to identify the server profile.

Step 3

For a firewall with more than one virtual system (vsys), select the Location (vsys or Shared) where the profile
is available.

Step 4

For each LDAP server (up to four), click Add and enter a Name (to identify the server), server IP address (LDAP
Server field), and server Port (default 389).

Step 5

Select the server Type from the drop-down: active-directory, e-directory, sun, or other.

Step 6

If you want the device to use SSL or TLS for a more secure connection with the directory server, select the
Require SSL/TLS secured connection check box (it is selected by default). The protocol that the device uses
depends on the server Port:
389 (default)TLS (Specifically, the device uses the Start TLS operation, which upgrades the initial plaintext
connection to TLS.)
636SSL
Any other portThe device first tries to use TLS. If the directory server doesnt support TLS, the device
falls back to SSL.

Step 7

To improve security, you can select the Verify Server Certificate for SSL sessions check box (it is cleared by
default) so that the device verifies the certificate that the directory server presents for SSL/TLS connections. If
the verification fails, the connection fails. To enable verification, you must also select the Require SSL/TLS
secured connection check box. The device verifies the certificate in two respects:
The certificate is trusted and valid. For the device to trust the certificate, its root certificate authority (CA)
and any intermediate certificates must be in the certificate store under Device > Certificate Management >
Certificates > Device Certificates. Import the certificate if necessary: see Import a Certificate and Private
Key.
The certificate name must match the host Name of the LDAP server. The device first checks the certificate
attribute Subject AltName for matching, then tries the attribute Subject DN. If the certificate uses the FQDN
of the directory server, you must enter that FQDN in the LDAP Server field for the name matching to
succeed.

Step 8

Click OK and Commit.

142 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Authentication

Configure External Authentication

Configure a Kerberos Server Profile


A Kerberos server profile enables users to natively authenticate to an Active Directory domain controller or a
Kerberos V5-compliant authentication server. This authentication method is interactive, requiring users to enter
usernames and passwords, in contrast with Kerberos single sign-on (SSO), which involves transparent
authentication.
To use a Kerberos server for authentication, the server must be accessible over an IPv4 address.
IPv6 addresses are not supported.

Configure a Kerberos Server Profile

Step 1

Select Device > Server Profiles > Kerberos and click Add.

Step 2

Enter a Profile Name to identify the server profile.

Step 3

For a firewall with more than one virtual system (vsys), select the Location (vsys or Shared) where the profile
is available.

Step 4

For each Kerberos server, click Add and enter a Name (to identify the server), server IPv4 address or FQDN
(Kerberos Server field), and an optional Port number for communication with the server (default 88).

Step 5

Click OK and Commit.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 143

Configure External Authentication

Authentication

CHAP and PAP Authentication for RADIUS and TACACS+ Servers


When you configure a Palo Alto Networks device to use RADIUS or TACACS+ server authentication for a
particular service (for example, Captive Portal), the device first tries to authenticate to the server using
Challenge-Handshake Authentication Protocol (CHAP). The device falls back to Password Authentication
Protocol (PAP) if the server rejects the CHAP request. This will happen if, for example, the server doesnt
support CHAP or isnt configured for CHAP.
When configuring a RADIUS or TACACS+ server for CHAP, you must define user accounts with
reversibly encrypted passwords. Otherwise, CHAP authentication will fail.

CHAP is the preferred protocol because it is more secure than PAP. After the device falls back to PAP for a
particular RADIUS or TACACS+ server, the device uses only PAP in subsequent attempts to authenticate to
that server. PAN-OS records a fall back to PAP as a medium severity event in the System logs. If you modify
any fields in the RADIUS or TACACS+ server profile and then commit the changes, the device reverts to first
trying CHAP for that server.

144 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Authentication

Configure External Authentication

Configure an Authentication Profile and Sequence


An authentication profile specifies the authentication service that validates the credentials of an administrator
during login and defines how a Palo Alto Networks device accesses the service. If you create a local
administrator account on the device, you can authenticate the administrator to the local database, use an external
service (RADIUS, TACACS+, LDAP, or Kerberos server), or use Kerberos single sign-on (SSO).
Some networks have multiple databases for different users and user groups. To authenticate to multiple
authentication sources (for example, local database and LDAP), configure an authentication sequence. An
authentication sequence is a ranked order of authentication profiles that the device matches an administrator
against during login. The device checks against the local database first, and then checks each profile in sequence
until one successfully authenticates the administrator. An administrator is denied access only if an authentication
failure occurs for all the profiles in the authentication sequence.
Configure an Authentication Profile and Sequence

Step 1

Create a Kerberos keytab.


Required if the device will use Kerberos
SSO authentication.

Step 2

Configure an external server profile.

Create a Kerberos keytab. A keytab is a file that contains Kerberos


account information (principal name and hashed password) for the
device.
Configure a RADIUS Server Profile.

Required if the device will use an external Configure a TACACS+ Server Profile.
service for authentication.
Configure an LDAP Server Profile.
Configure a Kerberos Server Profile.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 145

Configure External Authentication

Authentication

Configure an Authentication Profile and Sequence (Continued)

Step 3

Configure an authentication profile.

1.
2.
3.

Define one or both of the following


authentication phases:
Kerberos SSOThe device first tries
SSO authentication. If that fails, the
4.
device falls back to authentication of
the Type specified in the profile.
Local database or external
authenticationThe device prompts
the user to enter login credentials, and 5.
uses its local database or an external
service to authenticate the user.

Select Device > Authentication Profile and click Add.


Enter a Name to identify the authentication profile.
If the firewall has more than one virtual system (vsys), select a
Location (a vsys or Shared) where the profile is available.
In the Authentication tab, select the authentication Type. If you
select RADIUS, TACACS+, LDAP, or Kerberos, select the
authentication Server Profile from the drop-down.
If the Type is LDAP, define the Login Attribute. For
Active Directory, enter sAMAccountName as the value.
(Optional) Specify User Domain and Username Modifier
values to modify the domain/username string that the user will
enter during login. This is useful when the authentication
service requires the string in a particular format and you dont
want to rely on users to correctly enter the domain. Select from
the following options:
To send only the unmodified user input, leave the User
Domain blank (the default) and set the Username Modifier
to the variable %USERINPUT% (the default).
To prepend a domain to the user input, enter a User Domain
and set the Username Modifier to
%USERDOMAIN%\%USERINPUT%.
To append a domain to the user input, enter a User Domain
and set the Username Modifier to
%USERINPUT%@%USERDOMAIN%.

6.

If you want to enable Kerberos SSO, enter the Kerberos Realm


(usually the DNS domain of the users, except that the realm is
uppercase) and Import the Kerberos Keytab that you created
for the device.
7. Select the Advanced tab and, in the Allow List, click Add to
select the users and groups that can authenticate with this
profile. You can select users/groups from the local database or,
if you configured an LDAP server profile, from an
LDAP-based directory service such as Active Directory.
Selecting all allows every user to authenticate. By default, the
list is empty, meaning no users can authenticate.
You can also create and allow custom groups based on
LDAP filters: see Map Users to Groups.
8. Enter the number of Failed Attempts (0-10) to log in that the
device allows before locking out the user. The default value 0
means there is no limit.
9. Enter the Lockout Time (0-60), which is the number of minutes
for which the device locks out the user after reaching the Failed
Attempts limit. The default value 0 means the lockout applies
until an administrator unlocks the user account.
10. Click OK to save the authentication profile.

146 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Authentication

Configure External Authentication

Configure an Authentication Profile and Sequence (Continued)

Step 4

Configure an authentication sequence.


Required if you want the device to try
multiple authentication profiles to
authenticate users. The device evaluates
the profiles in top-to-bottom order
applying the Kerberos SSO,
authentication service, allow list, and
account lockout values for eachuntil
one profile successfully authenticates the
user. The device denies access only if all
the profiles in the sequence fail to
authenticate.

1.
2.
3.

4.

5.
Step 5

Assign the authentication profile or


sequence.

Palo Alto Networks

Select Device > Authentication Sequence and click Add.


Enter a Name to identify the authentication sequence.
If the firewall has more than one virtual system (vsys), select a
Location (a vsys or Shared) where the sequence is available.
To expedite the authentication process, the best practice
is to select the Use domain to determine
authentication profile check box: the device will match
the domain name that a user enters during login with the
User Domain or Kerberos Realm of an authentication
profile in the sequence, and then use that profile to
authenticate the user. If the device doesnt find a match,
or if you clear the check box, the device tries the profiles
in the top-to-bottom sequence.
For each authentication profile to include, click Add and select
from the drop-down. To change the evaluation order of the
profiles, select a profile and click Move Up or Move Down.
Click OK to save the authentication sequence.

Assign the authentication profile or sequence to a user or device


service.

PAN-OS 7.0 Administrators Guide 147

Configure External Authentication

Authentication

Enable External Authentication for Users and Services


Palo Alto Networks devices can use external services to authenticate administrators, end users, and other
devices.
Enable External Authentication

Step 1

Configure an external server profile.

Configure a RADIUS Server Profile.


Configure a TACACS+ Server Profile.
Configure an LDAP Server Profile.
Configure a Kerberos Server Profile.

Step 2

Assign the server profile to an


authentication profile.

Configure an Authentication Profile and Sequence.

Optionally, you can assign multiple


authentication profiles to an
authentication sequence.
Step 3

Assign the authentication profile or


sequence to a user or device service.

Administrators: Configure an Administrative Account.


End users:
Configure Captive Portal.
Configure the GlobalProtect portal.
Configure the GlobalProtect gateway.
Device services:
Configure Routing Information Protocol (RIP).
Configure Open Shortest Path First (OSPF).
Configure Border Gateway Protocol (BGP).

148 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Authentication

Test Authentication Server Connectivity

Test Authentication Server Connectivity


After you configure an authentication profile on a Palo Alto Networks firewall or Panorama manager, you can
use the test authentication feature to determine if the device can communicate with the back-end authentication
server and if the authentication request was successful. You can additionally test authentication profiles used for
GlobalProtect and Captive Portal authentication. You can perform authentication tests on the candidate
configuration, so that you know the configuration is correct before committing.
Authentication server connectivity testing is supported for local database, RADIUS, TACACS+, LDAP, and
Kerberos authentication.
The following topics describe how to use the test authentication command and provides use case examples:

Run the Test Authentication Command

Local Database Authentication Profile Use Case

RADIUS Authentication Profile Use Case

TACACS+ Authentication Profile Use Case

LDAP Authentication Profile Use Case

Kerberos Authentication Profile Use Case

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 149

Test Authentication Server Connectivity

Authentication

Run the Test Authentication Command


Run the Test Authentication Command

Step 1

On the PAN-OS firewall or Panorama server, Configure an authentication profile. You do not need to commit
the authentication or server profile configuration prior to testing.

Step 2

Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.

Step 3

(Firewalls with virtual systems configured) Define the target virtual system that the test command will access.
This is required on firewalls with multiple virtual systems (vsys) configured, so the test authentication command
can locate the user (Global Protect or Captive Portal, for example) in the correct vsys.
To define the target vsys:
admin@PA-3060>

set system setting target-vsys <vsys-name>

For example, if the user is defined in vsys2, run the following command:
admin@PA-3060>

set system setting target-vsys vsys2

The target-vsys command is per-login session, so the system clears the option when you log off.

Step 4

Test an authentication profile by entering the following command:


test authentication authentication-profile
<authentication-profile-name> username <username> password
admin@PA-3060>

For example, to test an authentication profile named my-profile for a user named bsimpson, run the following
command:

admin@PA-3060> test authentication authentication-profile


my-profile username bsimpson password
When entering authentication profile names and server profile names in the test command, the names are case
sensitive. Also, if the authentication profile has a username modifier defined, you must enter the modifier with
the username. For example, if you add the username modifier %USERINPUT%@%USERDOMAIN% for a
user named bsimpson and the domain name is mydomain.com, enter bsimpson@mydomain.com as the
username. This will ensure that the correct credentials are sent to the authentication server. In this example,
mydomain.com is the domain that you define in the User Domain field in the Authentication profile.
Step 5

View the output of the test results.


If the authentication profile is configured correctly, the output displays Authentication succeeded. If there
is a configuration issue, the output displays information to help you troubleshoot the configuration.
For example use cases on the supported authentication profile types, see Local Database Authentication Profile
Use Case.
The output results vary based on several factors related to the authentication type that you are testing as
well as the type of issue. For example, RADIUS and TACACS+ use different underlying libraries, so the
same issue that exists for both of these types will produce different errors. Also, if there is a network
problem, such as using an incorrect port or IP address in the authentication server profile, the output
error is not specific. This is because the test command cannot perform the initial handshake between
the firewall and the authentication server to determine details about the issue.

150 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Authentication

Test Authentication Server Connectivity

Local Database Authentication Profile Use Case


The following example shows how to test a Local Database authentication profile named LocalDB for a user
named User1-LocalDB and how to troubleshoot error conditions that arise. For details on using the test
authentication command, see Run the Test Authentication Command.
Local Database Authentication Profile Test Example

Step 1

On the PAN-OS firewall, ensure that you have an administrator configured with the type Local Database. For
information on administrator accounts, refer to Manage Firewall Administrators.

Step 2

Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.

Step 3

(Firewalls with virtual systems configured) Define the target virtual system that the test command will access.
This is required on firewalls with multiple virtual systems (vsys) configured, so the test authentication command
can locate the user (Global Protect or Captive Portal, for example) in the correct vsys.
To define the target vsys:
admin@PA-3060>

set system setting target-vsys <vsys-name>

For example, if the user is defined in vsys2, run the following command:
admin@PA-3060>

set system setting target-vsys vsys2

The target-vsys command is per-login session, so the system clears the option when you log off.

Step 4

Run the following CLI command:


admin@PA-3060> test authentication authentication-profile LocalDB-Profile username
User1-LocalDB password

Step 5

When prompted, enter the password for the User1-LocalDB account. The following output shows that the test
failed:
Allow list check error:
Do allow list check before sending out authentication request...
User User1-LocalDB is not allowed with authentication profile LocalDB-Profile

In this case, the last line of the output shows that the user is not allowed, which indicates a configuration
problem in the authentication profile.
Step 6

To resolve this issue, modify the authentication profile and add the user to the Allow List.
1. On the firewall, select Device > Authentication Profile and modify the profile named LocalDB-Profile.
2. Click the Advanced tab and add User1-LocalDB to the Allow List.
3. Click OK to save the change.

Step 7

Run the test command again. The following output shows that the test is successful:
Do allow list check before sending out authentication request...
name "User1-LocalDB" has an exact match in allow list
Authentication by Local User Database for user "User1-LocalDB"
Authentication succeeded for Local User Database user "User1-LocalDB"

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 151

Test Authentication Server Connectivity

Authentication

RADIUS Authentication Profile Use Case


The following example shows how to test a RADIUS profile named RADIUS-Profile for a user named
User2-RADIUS and how to troubleshoot error conditions that arise. For details on using the test authentication
command, see Run the Test Authentication Command.
RADIUS Authentication Profile Test Example

Step 1

On the PAN-OS firewall, Configure a RADIUS Server Profile and Configure an authentication profile. In the
authentication profile, you select the new RADIUS server profile in the Server Profile drop-down.

Step 2

Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.

Step 3

(Firewalls with virtual systems configured) Define the target virtual system that the test command will access.
This is required on firewalls with multiple virtual systems (vsys) configured, so the test authentication command
can locate the user (Global Protect or Captive Portal, for example) in the correct vsys.
To define the target vsys:
admin@PA-3060>

set system setting target-vsys <vsys-name>

For example, if the user is defined in vsys2, run the following command:
admin@PA-3060>

set system setting target-vsys vsys2

The target-vsys command is per-login session, so the system clears the option when you log off.

Step 4

Run the following CLI command:


admin@PA-3060> test authentication authentication-profile RADIUS-Profile username
User2-RADIUS password

Step 5

When prompted, enter the password for the User2-RADIUS account. The following output shows that the test
failed:
Do allow list check before sending out authentication request...
name "User2-RADIUS" is in group "all"
Authentication to RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Egress: 10.5.104.98
Authentication type: CHAP
Now send request to remote server ...
RADIUS error: Invalid RADIUS response received - Bad MD5
Authentication failed against RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"

In this case, the output shows Bad


RADIUS server profile.

152 PAN-OS 7.0 Administrators Guide

MD5,which indicates that there may be an issue with the secret defined in the

Palo Alto Networks

Authentication

Test Authentication Server Connectivity

RADIUS Authentication Profile Test Example

Step 6

To resolve this issue, modify the RADIUS server profile and ensure that the secret defined on the RADIUS
server matches the secret in the server profile.
1. On the firewall, select Device > Server Profiles > RADIUS and modify the profile named RADIUS-Profile.
2. In the Servers section, locate the RADIUS server and modify the Secret field.
3. Type in the correct secret and then retype to confirm.
4. Click OK to save the change.

Step 7

Run the test command again. The following output shows that the test is successful:
Do allow list check before sending out authentication request...
name "User2-RADIUS" is in group "all"
Authentication to RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Egress: 10.5.104.98
Authentication type: CHAP
Now send request to remote server ...
RADIUS CHAP auth request is NOT accepted, try PAP next
Authentication type: PAP
Now send request to remote server ...
Authentication succeeded against RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Authentication succeeded for user "User2-RADIUS"

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 153

Test Authentication Server Connectivity

Authentication

TACACS+ Authentication Profile Use Case


The following example shows how to test a TACACS+ profile named TACACS-Profile for a user named
User3-TACACS and how to troubleshoot error conditions that arise. For details on using the test authentication
command, see Run the Test Authentication Command.
TACACS+ Authentication Profile Test Example

Step 1

On the PAN-OS firewall, Configure a TACACS+ Server Profile and Configure an authentication profile. In
the authentication profile, you select the new TACACS+ server profile in the Server Profile drop-down.

Step 2

Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.

Step 3

(Firewalls with virtual systems configured) Define the target virtual system that the test command will access.
This is required on firewalls with multiple virtual systems (vsys) configured, so the test authentication command
can locate the user (Global Protect or Captive Portal, for example) in the correct vsys.
To define the target vsys:
admin@PA-3060>

set system setting target-vsys <vsys-name>

For example, if the user is defined in vsys2, run the following command:
admin@PA-3060>

set system setting target-vsys vsys2

The target-vsys command is per-login session, so the system clears the option when you log off.

Step 4

Run the following CLI command:


admin@PA-3060> test authentication authentication-profile TACACS-Profile username
User3-TACACS password

154 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Authentication

Test Authentication Server Connectivity

TACACS+ Authentication Profile Test Example

Step 5

When prompted, enter the password for the User3-TACASC account. The following output shows that the test
failed:
Do allow list check before sending out authentication request...
name "User2-TACACS" is in group "all"
Authentication to TACACS+ server at '10.5.196.62' for user 'User2-TACACS'
Server port: 49, timeout: 30, flag: 0
Egress: 10.5.104.98
Attempting CHAP authentication ...
CHAP authentication request is created
Sending credential: xxxxxx
Failed to send CHAP authentication request: Network read timed out
Attempting PAP authentication ...
PAP authentication request is created
Failed to send PAP authentication request: Network read timed out
Returned status: -1
Authentication failed against TACACS+ server at 10.5.196.62:49 for user User2-TACACS
Authentication failed for user "User2-TACACS"

The output shows error Network read timed out, which indicates that the TACACS+ server could not
decrypt the authentication request. In this case, there may be an issue with the secret defined in the TACACS+
server profile.
Step 6

To resolve this issue, modify the TACACS+ server profile and ensure that the secret defined on the TACACS+
server matches the secret in the server profile.
1. On the firewall, select Device > Server Profiles > TACACS+ and modify the profile named TACACS-Profile.
2. In the Servers section, locate the TACACS+ server and modify the Secret field.
3. Type in the correct secret and then retype to confirm.
4. Click OK to save the change.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 155

Test Authentication Server Connectivity

Authentication

TACACS+ Authentication Profile Test Example

Step 7

Run the test command again. The following output shows that the test is successful:
Do allow list check before sending out authentication request...
name "User2-TACACS" is in group "all"
Authentication to TACACS+ server at '10.5.196.62' for user 'User2-TACACS'
Server port: 49, timeout: 30, flag: 0
Egress: 10.5.104.98
Attempting CHAP authentication ...
CHAP authentication request is created
Sending credential: xxxxxx
CHAP authentication request is sent
Authentication succeeded!
Authentication succeeded for user "User2-TACACS"

156 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Authentication

Test Authentication Server Connectivity

LDAP Authentication Profile Use Case


The following example shows how to test a LDAP authentication profile named LDAP-Profile for a user named
User4-LDAP and how to troubleshoot error conditions that arise. For details on using the test authentication
command, see Run the Test Authentication Command.
LDAP Authentication Profile Test Example

Step 1

On the PAN-OS firewall, Configure an LDAP Server Profile and Configure an authentication profile. In the
authentication profile, you select the new LDAP server profile in the Server Profile drop-down.

Step 2

Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.

Step 3

(Firewalls with virtual systems configured) Define the target virtual system that the test command will access.
This is required on firewalls with multiple virtual systems (vsys) configured, so the test authentication command
can locate the user (Global Protect or Captive Portal, for example) in the correct vsys.
To define the target vsys:
admin@PA-3060>

set system setting target-vsys <vsys-name>

For example, if the user is defined in vsys2, run the following command:
admin@PA-3060>

set system setting target-vsys vsys2

The target-vsys command is per-login session, so the system clears the option when you log off.

Step 4

Run the following CLI command:


admin@PA-3060> test authentication authentication-profile LDAP-Profile username User4-LDAP
password

Step 5

When prompted, enter the password for the User4-LDAP account. The following output shows that the test
failed:
Do allow list check before sending out authentication request...
name "User4-LDAP" is in group "all"
Authentication to LDAP server at 10.5.104.99 for user "User4-LDAP"
Egress: 10.5.104.98
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
parse error of dn and attributes for user "User4-LDAP"
Authentication failed against LDAP server at 10.5.104.99:389 for user "User4-LDAP"
Authentication failed for user "User4-LDAP"

The output shows parse error of dn and attributes for user User4-LDAP, which indicates a BIND
DN value issues in the LDAP server profile. In this case, a Domain Component (DC) value is incorrect.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 157

Test Authentication Server Connectivity

Authentication

LDAP Authentication Profile Test Example

Step 6

To resolve this issue, modify the LDAP server profile and ensure that the Bind DN DC value is correct by
comparing the DC value with the DC value of the LDAP server.
1. On the firewall, select Device > Server Profiles > LDAP and modify the profile named LDAP-Profile.
2. In the Server settings section, enter the correct value for the DC in the Bind DN field. In this case, the correct
value for the DC is MGMT-GROUP
3. Click OK to save the change.

Step 7

Run the test command again. The following output shows that the test is successful:
Do allow list check before sending out authentication request...
name "User4-LDAP" is in group "all"
Authentication to LDAP server at 10.5.104.99 for user "User4-LDAP"
Egress: 10.5.104.98
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
DN sent to LDAP server: CN=User4-LDAP,CN=Users,DC=MGMT-GROUP,DC=local
User expires in days: never
Authentication succeeded for user "User4-LDAP"

158 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Authentication

Test Authentication Server Connectivity

Kerberos Authentication Profile Use Case


The following example shows how to test a Kerberos profile named Kerberos-Profile for a user named
User5-Kerberos and how to troubleshoot error conditions that arise. For details on using the test authentication
command, see Run the Test Authentication Command.
Kerberos Authentication Profile Test Example

Step 1

On the PAN-OS firewall, Configure a Kerberos Server Profile and Configure an authentication profile. In the
authentication profile, you select the new Kerberos server profile in the Server Profile drop-down.

Step 2

Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.

Step 3

(Firewalls with virtual systems configured) Define the target virtual system that the test command will access.
This is required on firewalls with multiple virtual systems (vsys) configured, so the test authentication command
can locate the user (Global Protect or Captive Portal, for example) in the correct vsys.
To define the target vsys:
admin@PA-3060>

set system setting target-vsys <vsys-name>

For example, if the user is defined in vsys2, run the following command:
admin@PA-3060>

set system setting target-vsys vsys2

The target-vsys command is per-login session, so the system clears the option when you log off.

Step 4

Run the following CLI command:


admin@PA-3060> test authentication authentication-profile Kerberos-Profile username
User5-Kerberos password

Step 5

When prompted, enter the password for the User5-Kerberos account. The following output shows that the test
failed:
Do allow list check before sending out authentication request...
name "User5-Kerberos" is in group "all"
Authentication to KERBEROS server at '10.5.104.99' for user 'User5-Kerberos'
Realm: 'Bad-MGMT-GROUP.LOCAL'
Egress: 10.5.104.98
KERBEROS configuration file is created
KERBEROS authcontext is created. Now authenticating ...
Kerberos principal is created
Sending authentication request to KDC...
Authentication failure: Wrong realm: 'Bad-MGMT-GROUP.LOCAL' (code: -1765328316)
Authentication failed against KERBEROS server at 10.5.104.99:88 for user "User5-Kerberos"
Authentication failed for user "User5-Kerberos"

In this case, the output shows Wrong

Palo Alto Networks

realm,

which indicates that the Kerberos realm has an incorrect value.

PAN-OS 7.0 Administrators Guide 159

Test Authentication Server Connectivity

Authentication

Kerberos Authentication Profile Test Example

Step 6

To resolve this issue, modify the Kerberos server profile and ensure that the Realm value is correct by comparing
the realm name on the Kerberos server.
1. On the firewall, select Device > Authentication Profiles and modify the profile named Kerberos-Profile.
2. In the Kerberos Realm field, enter the correct value. In this case, the correct realm is mgmt-group.local.
3. Click OK to save the change.

Step 7

Run the test command again. The following output shows that the test is successful:
Do allow list check before sending out authentication request...
name "User5-Kerberos" is in group "all"
Authentication to KERBEROS server at '10.5.104.99' for user 'User5-Kerberos'
Realm: 'MGMT-GROUP.LOCAL'
Egress: 10.5.104.98
KERBEROS configuration file is created
KERBEROS authcontext is created. Now authenticating ...
Kerberos principal is created
Sending authentication request to KDC...
Authentication succeeded!
Authentication succeeded for user "User5-Kerberos"

160 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Authentication

Troubleshoot Authentication Issues

Troubleshoot Authentication Issues


When users fail to authenticate to a Palo Alto Networks device, or the Authentication process takes longer than
expected, analyzing authentication-related information can help you determine whether the failure or delay
resulted from:

User behaviorFor example, users are locked out after entering the wrong credentials or a high volume of
users are simultaneously attempting access.

System or network issuesFor example, an authentication server is inaccessible.

Configuration issuesFor example, the Allow List of an authentication profile doesnt have all the users it
should have.

The following CLI commands display information that can help you troubleshoot these issues:
Task

Command

Use the show authentication locked-users command


to display the number of locked user accounts associated
with the authentication profile (auth-profile option),
authentication sequence (is-seq option), or virtual system
(vsys option).

show authentication locked-users


{
vsys <value> |
auth-profile <value> |
is-seq
{yes | no}
{auth-profile | vsys} <value>
}

To unlock administrator users, use the command:


set management-server unlock admin
<user_name>

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 161

Troubleshoot Authentication Issues

Authentication

Task

Command

Use the debug authentication command to troubleshoot


authentication events.

debug authentication
{
on {debug | dump | error | info | warn} |
show |
show-active-requests |
show-pending-requests |
connection-show |
{
connection-id |
protocol-type
{
Kerberos connection-id <value> |
LDAP connection-id <value> |
RADIUS connection-id <value> |
TACACS+ connection-id <value> |
}
connection-debug-on |
{
connection-id |
debug-prefix |
protocol-type
{
Kerberos connection-id <value> |
LDAP connection-id <value> |
RADIUS connection-id <value> |
TACACS+ connection-id <value> |
}
connection-debug-off |
{
connection-id |
protocol-type
{
Kerberos connection-id <value> |
LDAP connection-id <value> |
RADIUS connection-id <value> |
TACACS+ connection-id <value> |
}
connection-debug-on
}

Use the show options to display authentication request


statistics and the current debugging level:
show displays the current debugging level for the
authentication service (authd).

show-active-requests

show-pending-requests

connection-show

displays the number of active


checks for authentication requests, allow lists, and locked
user accounts.

displays the number of


pending checks for authentication requests, allow lists,
and locked user accounts.
displays authentication request and
response statistics for all authentication servers or for a
specific protocol type.

Use the connection-debug options to enable or disable


authentication debugging:
Use the on option to enable or the off option to disable
debugging for authd.
Use the connection-debug-on option to enable or the
connection-debug-off option to disable debugging
for all authentication servers or for a specific protocol
type.

162 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Certificate Management
The following topics describe the different keys and certificates that Palo Alto Networks devices use, and how
to obtain and manage them:

Keys and Certificates

Certificate Revocation

Certificate Deployment

Set Up Verification for Certificate Revocation Status

Configure the Master Key

Obtain Certificates

Export a Certificate and Private Key

Configure a Certificate Profile

Configure an SSL/TLS Service Profile

Configure the Key Size for SSL Forward Proxy Server Certificates

Revoke and Renew Certificates

Secure Keys with a Hardware Security Module

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 163

Keys and Certificates

Certificate Management

Keys and Certificates


To ensure trust between parties in a secure communication session, Palo Alto Networks devices use digital
certificates. Each certificate contains a cryptographic key to encrypt plaintext or decrypt cyphertext. Each
certificate also includes a digital signature to authenticate the identity of the issuer. The issuer must be in the list
of trusted certificate authorities (CAs) of the authenticating party. Optionally, the authenticating party verifies
the issuer did not revoke the certificate (see Certificate Revocation).
Palo Alto Networks devices use certificates in the following applications:

User authentication for Captive Portal, GlobalProtect, Mobile Security Manager, and web interface access
to a Palo Alto Networks device.

Device authentication for GlobalProtect VPN (remote user-to-site or large scale).

Device authentication for IPSec site-to-site VPN with Internet Key Exchange (IKE).

Decrypting inbound and outbound SSL traffic.


A firewall decrypts the traffic to apply policy rules, then re-encrypts it before forwarding the traffic to the
final destination. For outbound traffic, the firewall acts as a forward proxy server, establishing an SSL/TLS
connection to the destination server. To secure a connection between itself and the client, the firewall uses
a signing certificate to automatically generate a copy of the destination server certificate.

The following table describes the keys and certificates that Palo Alto Networks devices use. As a best practice,
use different keys and certificates for each usage.
Table: Palo Alto Networks Device Keys/Certificates
Key/Certificate Usage

Description

Administrative Access

Secure access to device administration interfaces (HTTPS access to the web interface)
requires a server certificate for the MGT interface (or a designated interface on the
dataplane if the device does not use MGT) and, optionally, a certificate to authenticate the
administrator.

Captive Portal

In deployments where Captive Portal identifies users who access HTTPS resources,
designate a server certificate for the Captive Portal interface. If you configure Captive Portal
to use certificates (instead of, or in addition to, username/password credentials) for user
identification, designate a user certificate also. For more information on Captive Portal, see
Map IP Addresses to Usernames Using Captive Portal.

Forward Trust

For outbound SSL/TLS traffic, if a firewall acting as a forward proxy trusts the CA that
signed the certificate of the destination server, the firewall uses the forward trust CA
certificate to generate a copy of the destination server certificate to present to the client. To
set the key size, see Configure the Key Size for SSL Forward Proxy Server Certificates. For
added security, store the key on a hardware security module (for details, see Secure Keys with
a Hardware Security Module).

Forward Untrust

For outbound SSL/TLS traffic, if a firewall acting as a forward proxy does not trust the CA
that signed the certificate of the destination server, the firewall uses the forward untrust CA
certificate to generate a copy of the destination server certificate to present to the client.

164 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Certificate Management

Keys and Certificates

Key/Certificate Usage

Description

SSL Inbound Inspection

The keys that decrypt inbound SSL/TLS traffic for inspection and policy enforcement. For
this application, import onto the firewall a private key for each server that is subject to
SSL/TLS inbound inspection. See Configure SSL Inbound Inspection.

SSL Exclude Certificate

Certificates for servers to exclude from SSL/TLS decryption. For example, if you enable
SSL decryption but your network includes servers for which the firewall should not decrypt
traffic (for example, web services for your HR systems), import the corresponding
certificates onto the firewall and configure them as SSL Exclude Certificates. See Configure
Decryption Exceptions.

GlobalProtect

All interaction among GlobalProtect components occurs over SSL/TLS connections.


Therefore, as part of the GlobalProtect deployment, deploy server certificates for all
GlobalProtect portals, gateways, and Mobile Security Managers. Optionally, deploy
certificates for authenticating users also.
Note that the GlobalProtect Large Scale VPN (LSVPN) feature requires a CA signing
certificate.

Site-to-Site VPNs (IKE)

In a site-to-site IPSec VPN deployment, peer devices use Internet Key Exchange (IKE)
gateways to establish a secure channel. IKE gateways use certificates or preshared keys to
authenticate the peers to each other. You configure and assign the certificates or keys when
defining an IKE gateway on a firewall. See Site-to-Site VPN Overview.

Master Key

The firewall uses a master key to encrypt all private keys and passwords. If your network
requires a secure location for storing private keys, you can use an encryption (wrapping) key
stored on a hardware security module (HSM) to encrypt the master key. For details, see
Encrypt a Master Key Using an HSM.

Secure Syslog

The certificate to enable secure connections between the firewall and a syslog server. See
Syslog Field Descriptions.

Trusted Root CA

The designation for a root certificate issued by a CA that the firewall trusts. The firewall can
use a self-signed root CA certificate to automatically issue certificates for other applications
(for example, SSL Forward Proxy).
Also, if a firewall must establish secure connections with other firewalls, the root CA that
issues their certificates must be in the list of trusted root CAs on the firewall.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 165

Certificate Revocation

Certificate Management

Certificate Revocation
Palo Alto Networks devices use digital certificates to ensure trust between parties in a secure communication
session. Configuring a device to check the revocation status of certificates provides additional security. A party
that presents a revoked certificate is not trustworthy. When a certificate is part of a chain, the device checks the
status of every certificate in the chain except the root CA certificate, for which the device cannot verify
revocation status.
Various circumstances can invalidate a certificate before the expiration date. Some examples are a change of
name, change of association between subject and certificate authority (for example, an employee terminates
employment), and compromise (known or suspected) of the private key. Under such circumstances, the
certificate authority that issued the certificate must revoke it.
Palo Alto Networks devices support the following methods for verifying certificate revocation status. If you
configure both, the devices first try the OCSP method; if the OCSP server is unavailable, the devices use the
CRL method.

Certificate Revocation List (CRL)

Open Certificate Status Protocol (OCSP)


In PAN-OS, certificate revocation status verification is an optional feature. It is a best practice to
enable it for certificate profiles, which define user and device authentication for Captive Portal,
GlobalProtect, site-to-site IPSec VPN, and web interface access to Palo Alto Network devices.

Certificate Revocation List (CRL)


Each certificate authority (CA) periodically issues a certificate revocation list (CRL) to a public repository. The
CRL identifies revoked certificates by serial number. After the CA revokes a certificate, the next CRL update
will include the serial number of that certificate.
The Palo Alto Networks firewall downloads and caches the last-issued CRL for every CA listed in the trusted
CA list of the firewall. Caching only applies to validated certificates; if a firewall never validated a certificate, the
firewall cache does not store the CRL for the issuing CA. Also, the cache only stores a CRL until it expires.
The firewall supports CRLs only in Distinguished Encoding Rules (DER) format. If the firewall downloads a
CRL in any other formatfor example, Privacy Enhanced Mail (PEM) formatany revocation verification
process that uses that CRL will fail when a user performs an activity that triggers the process (for example,
sending outbound SSL data). The firewall will generate a system log for the verification failure. If the verification
was for an SSL certificate, the firewall will also display the SSL Certificate Errors Notify response page to the
user.
To use CRLs for verifying the revocation status of certificates used for the decryption of inbound and outbound
SSL/TLS traffic, see Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption.
To use CRLs for verifying the revocation status of certificates that authenticate users and devices, configure a
certificate profile and assign it to the interfaces that are specific to the application: Captive Portal, GlobalProtect
(remote user-to-site or large scale), site-to-site IPSec VPN, or web interface access to Palo Alto Networks
devices. For details, see Configure Revocation Status Verification of Certificates Used for User/Device
Authentication.

166 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Certificate Management

Certificate Revocation

Open Certificate Status Protocol (OCSP)


When establishing an SSL/TLS session, clients can use Online Certificate Status Protocol (OCSP) to check the
revocation status of the authentication certificate. The authenticating client sends a request containing the serial
number of the certificate to the OCSP responder (server). The responder searches the database of the certificate
authority (CA) that issued the certificate and returns a response containing the status (good, revoked or unknown)
to the client. The advantage of the OCSP method is that it can verify status in real-time, instead of depending
on the issue frequency (hourly, daily, or weekly) of CRLs.
The Palo Alto Networks firewall downloads and caches OCSP status information for every CA listed in the
trusted CA list of the firewall. Caching only applies to validated certificates; if a firewall never validated a
certificate, the firewall cache does not store the OCSP information for the issuing CA. If your enterprise has its
own public key infrastructure (PKI), you can configure the firewall as an OCSP responder (see Configure an
OCSP Responder).
To use OCSP for verifying the revocation status of certificates when the firewall functions as an SSL forward
proxy, perform the steps under Configure Revocation Status Verification of Certificates Used for SSL/TLS
Decryption.
The following applications use certificates to authenticate users and/or devices: Captive Portal, GlobalProtect
(remote user-to-site or large scale), site-to-site IPSec VPN, and web interface access to Palo Alto Networks
devices. To use OCSP for verifying the revocation status of the certificates:

Configure an OCSP responder.


Enable the HTTP OCSP service on the firewall.
Create or obtain a certificate for each application.
Configure a certificate profile for each application.
Assign the certificate profile to the relevant application.

To cover situations where the OCSP responder is unavailable, configure CRL as a fall-back method. For details,
see Configure Revocation Status Verification of Certificates Used for User/Device Authentication.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 167

Certificate Deployment

Certificate Management

Certificate Deployment
The basic approaches to deploy certificates for Palo Alto Networks devices are:

Obtain certificates from a trusted third-party CAThe benefit of obtaining a certificate from a trusted
third-party certificate authority (CA) such as VeriSign or GoDaddy is that end clients will already trust the
certificate because common browsers include root CA certificates from well-known CAs in their trusted
root certificate stores. Therefore, for applications that require end clients to establish secure connections
with a Palo Alto Network device, purchase a certificate from a CA that the end clients trust to avoid having
to pre-deploy root CA certificates to the end clients. (Some such applications are a GlobalProtect portal or
GlobalProtect Mobile Security Manager.) However, note that most third-party CAs cannot issue signing
certificates. Therefore, this type of certificate is not appropriate for applications (for example, SSL/TLS
decryption and large-scale VPN) that require the firewall to issue certificates. See Obtain a Certificate from
an External CA.

Obtain certificates from an enterprise CAEnterprises that have their own internal CA can use it to
issue certificates for firewall applications and import them onto the firewall. The benefit is that end clients
probably already trust the enterprise CA. You can either generate the needed certificates and import them
onto the firewall, or generate a certificate signing request (CSR) on the firewall and send it to the enterprise
CA for signing. The benefit of this method is that the private key does not leave the firewall. An enterprise
CA can also issue a signing certificate, which the firewall uses to automatically generate certificates (for
example, for GlobalProtect large-scale VPN or sites requiring SSL/TLS decryption). See Import a
Certificate and Private Key.

Generate self-signed certificatesYou can Create a Self-Signed Root CA Certificate on the firewall and
use it to automatically issue certificates for other firewall applications. Note that if you use this method to
generate certificates for an application that requires an end client to trust the certificate, end users will see a
certificate error because the root CA certificate is not in their trusted root certificate store. To prevent this,
deploy the self-signed root CA certificate to all end user systems. You can deploy the certificates manually
or use a centralized deployment method such as an Active Directory Group Policy Object (GPO).

168 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Certificate Management

Set Up Verification for Certificate Revocation Status

Set Up Verification for Certificate Revocation Status


To verify the revocation status of certificates, the firewall uses Open Certificate Status Protocol (OCSP) and/or
certificate revocation lists (CRLs). For details on these methods, see Certificate Revocation If you configure
both methods, the firewall first tries OCSP and only falls back to the CRL method if the OCSP responder is
unavailable. If your enterprise has its own public key infrastructure (PKI), you can configure the firewall to
function as the OCSP responder.
The following topics describe how to configure the firewall to verify certificate revocation status:

Configure an OCSP Responder

Configure Revocation Status Verification of Certificates Used for User/Device Authentication

Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption

Configure an OCSP Responder


To use Open Certificate Status Protocol (OCSP) for verifying the revocation status of certificates, you must
configure the firewall to access an OCSP responder (server). The entity that manages the OCSP responder can
be a third-party certificate authority (CA) or, if your enterprise has its own public key infrastructure (PKI), the
firewall itself. For details on OCSP, see Certificate Revocation
Configure an OCSP Responder

Step 1

Define an OCSP responder.

1.
2.

3.
4.

5.
Step 2

Enable OCSP communication on the


firewall.

Palo Alto Networks

1.
2.

Select Device > Certificate Management > OCSP Responder


and click Add.
Enter a Name to identify the responder (up to 31 characters).
The name is case-sensitive. It must be unique and use only
letters, numbers, spaces, hyphens, and underscores.
If the device has more than one virtual system (vsys), select a
Location (vsys or Shared) for the certificate.
In the Host Name field, enter the host name (recommended) or
IP address of the OCSP responder. From this value, PAN-OS
automatically derives a URL and adds it to the certificate being
verified.
If you configure the firewall itself as an OCSP responder, the
host name must resolve to an IP address in the interface that
the firewall uses for OCSP services (specified in Step 3).
Click OK.
Select Device > Setup > Management.
In the Management Interface Settings section, edit to select the
HTTP OCSP check box, then click OK.

PAN-OS 7.0 Administrators Guide 169

Set Up Verification for Certificate Revocation Status

Certificate Management

Configure an OCSP Responder

Step 3

Optionally, to configure the firewall itself 1.


as an OCSP responder, add an Interface 2.
Management Profile to the interface used
for OCSP services.
3.
4.

5.
6.

Select Network > Network Profiles > Interface Mgmt.


Click Add to create a new profile or click the name of an
existing profile.
Select the HTTP OCSP check box and click OK.
Select Network > Interfaces and click the name of the interface
that the firewall will use for OCSP services. The OCSP Host
Name specified in Step 1 must resolve to an IP address in this
interface.
Select Advanced > Other info and select the Interface
Management Profile you configured.
Click OK and Commit.

Configure Revocation Status Verification of Certificates Used for


User/Device Authentication
The firewall uses certificates to authenticate users and devices for such applications as Captive Portal,
GlobalProtect, site-to-site IPSec VPN, and web interface access to Palo Alto Networks devices. To improve
security, it is a best practice to configure the firewall to verify the revocation status of certificates that it uses for
device/user authentication.
Configure Revocation Status Verification of Certificates Used for User/Device Authentication

Step 1

Configure a Certificate Profile for each


application.

Assign one or more root CA certificates to the profile and select


how the firewall verifies certificate revocation status. The common
name (FQDN or IP address) of a certificate must match an interface
to which you apply the profile in Step 2.
For details on the certificates that various applications use, see Keys
and Certificates

Step 2

Assign the certificate profiles to the


relevant applications.

The steps to assign a certificate profile depend on the application


that requires it.

Configure Revocation Status Verification of Certificates Used for SSL/TLS


Decryption
The firewall decrypts inbound and outbound SSL/TLS traffic to apply security rules and rules, then re-encrypts
the traffic before forwarding it. (For details, see SSL Inbound Inspection and SSL Forward Proxy.) You can
configure the firewall to verify the revocation status of certificates used for decryption as follows.
Enabling revocation status verification for SSL/TLS decryption certificates will add time to the
process of establishing the session. The first attempt to access a site might fail if the verification
does not finish before the session times out. For these reasons, verification is disabled by default.

170 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Certificate Management

Set Up Verification for Certificate Revocation Status

Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption

Step 1

Define the service-specific timeout


intervals for revocation status requests.

1.
2.

Select Device > Setup > Session and, in the Session Features
section, select Decryption Certificate Revocation Settings.
Perform one or both of the following steps, depending on
whether the firewall will use Open Certificate Status Protocol
(OCSP) or the Certificate Revocation List (CRL) method to
verify the revocation status of certificates. If the firewall will use
both, it first tries OCSP; if the OCSP responder is unavailable,
the firewall then tries the CRL method.
In the CRL section, select the Enable check box and enter
the Receive Timeout. This is the interval (1-60 seconds)
after which the firewall stops waiting for a response from the
CRL service.
In the OCSP section, select the Enable check box and enter
the Receive Timeout. This is the interval (1-60 seconds)
after which the firewall stops waiting for a response from the
OCSP responder.
Depending on the Certificate Status Timeout value you
specify in Step 2, the firewall might register a timeout before
either or both of the Receive Timeout intervals pass.

Step 2

Define the total timeout interval for


revocation status requests.

Enter the Certificate Status Timeout. This is the interval (1-60


seconds) after which the firewall stops waiting for a response from
any certificate status service and applies the session-blocking logic
you optionally define in Step 3. The Certificate Status Timeout
relates to the OCSP/CRL Receive Timeout as follows:
If you enable both OCSP and CRLThe firewall registers a
request timeout after the lesser of two intervals passes: the
Certificate Status Timeout value or the aggregate of the two
Receive Timeout values.
If you enable only OCSPThe firewall registers a request
timeout after the lesser of two intervals passes: the Certificate
Status Timeout value or the OCSP Receive Timeout value.
If you enable only CRLThe firewall registers a request timeout
after the lesser of two intervals passes: the Certificate Status
Timeout value or the CRL Receive Timeout value.

Step 3

Define the blocking behavior for unknown If you want the firewall to block SSL/TLS sessions when the OCSP
certificate status or a revocation status
or CRL service returns a certificate revocation status of unknown,
request timeout.
select the Block Session With Unknown Certificate Status check
box. Otherwise, the firewall proceeds with the session.
If you want the firewall to block SSL/TLS sessions after it registers
a request timeout, select the Block Session On Certificate Status
Check Timeout check box. Otherwise, the firewall proceeds with
the session.

Step 4

Save and apply your entries.

Palo Alto Networks

Click OK and Commit.

PAN-OS 7.0 Administrators Guide 171

Configure the Master Key

Certificate Management

Configure the Master Key


Every firewall has a default master key that encrypts private keys and other secrets (such as passwords and
shared keys). The private keys authenticate users when they access administrative interfaces on the firewall. As
a best practice to safeguard the keys, configure the master key on each firewall to be unique and periodically
change it. For added security, use a wrapping key stored on a hardware security module (HSM) to encrypt the
master key. For details, see Encrypt a Master Key Using an HSM.
In a high availability (HA) configuration, ensure both devices in the pair use the same master key
to encrypt private keys and certificates. If the master keys differ, HA configuration synchronization
will not work properly.
When you export a firewall configuration, the master key encrypts the passwords of users
managed on external servers. For locally managed users, the firewall hashes the passwords but
the master key does not encrypt them.

Configure a Master Key

Step 1

Select Device > Master Key and Diagnostics and, in the Master Key section, click the Edit icon.

Step 2

Enter the Current Master Key if one exists.

Step 3

Define a new New Master Key and then Confirm New Master Key. The key must contain exactly 16 characters.

Step 4

(Optional) To specify the master key Life Time, enter the number of Days and/or Hours after which the key
will expire. If you set a life time, create a new master key before the old key expires.

Step 5

(Optional) If you set a key life time, enter a Time for Reminder that specifies the number of Days and Hours
preceding master key expiration when the firewall emails you a reminder.

Step 6

(Optional) Select whether to use an HSM to encrypt the master key. For details, see Encrypt a Master Key Using
an HSM.

Step 7

Click OK and Commit.

172 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Certificate Management

Obtain Certificates

Obtain Certificates

Create a Self-Signed Root CA Certificate

Generate a Certificate on the Device

Import a Certificate and Private Key

Obtain a Certificate from an External CA

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 173

Obtain Certificates

Certificate Management

Create a Self-Signed Root CA Certificate


A self-signed root certificate authority (CA) certificate is the top-most certificate in a certificate chain. A firewall
can use this certificate to automatically issue certificates for other uses. For example, the firewall issues
certificates for SSL/TLS decryption and for satellite devices in a GlobalProtect large-scale VPN.
When establishing a secure connection with the firewall, the remote client must trust the root CA that issued
the certificate. Otherwise, the client browser will display a warning that the certificate is invalid and might
(depending on security settings) block the connection. To prevent this, after generating the self-signed root CA
certificate, import it into the client systems.
On a Palo Alto Networks device, you can generate self-signed certificates only if they are CA
certificates.

Generate a Self-signed Root CA Certificate

Step 1

Select Device > Certificate Management > Certificates > Device Certificates.

Step 2

If the device has more than one virtual system (vsys), select a Location (vsys or Shared) for the certificate.

Step 3

Click Generate.

Step 4

Enter a Certificate Name, such as GlobalProtect_CA. The name is case-sensitive and can have up to 31
characters. It must be unique and use only letters, numbers, hyphens, and underscores.

Step 5

In the Common Name field, enter the FQDN (recommended) or IP address of the interface where you will
configure the service that will use this certificate.

Step 6

If the device has more than one vsys and you want the certificate to be available to every vsys, select the Shared
check box.

Step 7

Leave the Signed By field blank to designate the certificate as self-signed.

Step 8

(Required) Select the Certificate Authority check box.

Step 9

Leave the OCSP Responder field blank; revocation status verification doesnt apply to root CA certificates.

Step 10 Click Generate and Commit.

174 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Certificate Management

Obtain Certificates

Generate a Certificate on the Device


Palo Alto Networks devices use certificates to authenticate clients, servers, users, and devices in several
applications, including SSL/TLS decryption, Captive Portal, GlobalProtect, site-to-site IPSec VPN, and device
web interface access. Generate certificates for each usage: for details, see Keys and Certificates.
To generate a certificate, you must first Create a Self-Signed Root CA Certificate or import one (Import a
Certificate and Private Key) to sign it. To use Open Certificate Status Protocol (OCSP) for verifying certificate
revocation status, Configure an OCSP Responder before generating the certificate.
Generate a Certificate on the Device

Step 1

Select Device > Certificate Management > Certificates > Device Certificates.

Step 2

If the device has more than one virtual system (vsys), select a Location (vsys or Shared) for the certificate.

Step 3

Click Generate.

Step 4

Enter a Certificate Name. The name is case-sensitive and can have up to 31 characters. It must be unique and
use only letters, numbers, hyphens, and underscores.

Step 5

In the Common Name field, enter the FQDN (recommended) or IP address of the interface where you will
configure the service that will use this certificate.

Step 6

If the device has more than one vsys and you want the certificate to be available to every vsys, select the Shared
check box.

Step 7

In the Signed By field, select the root CA certificate that will issue the certificate.

Step 8

(Optional) Select an OCSP Responder.

Step 9

For the key generation Algorithm, select RSA (default) or Elliptical Curve DSA (ECDSA). ECDSA is
recommended for client browsers and operating systems that support it.
Firewalls that run PAN-OS 6.1 and earlier releases will delete any ECDSA certificates that you push
from Panorama, and any RSA certificates signed by an ECDSA certificate authority (CA) will be
invalid on those firewalls.

Step 10 Select the Number of Bits to define the certificate key length. Higher numbers are more secure but require more
processing time.
Step 11 Select the Digest algorithm. From most to least secure, the options are: sha512, sha384, sha256 (default), sha1,
and md5.
Step 12 For the Expiration, enter the number of days (default is 365) for which the certificate is valid.
Step 13 (Optional) Add the Certificate Attributes to uniquely identify the firewall and the service that will use the
certificate.
If you add a Host Name (DNS name) attribute, it is a best practice for it to match the Common Name.
The host name populates the Subject Alternative Name field of the certificate.
Step 14 Click Generate and, in the Device Certificates page, click the certificate Name.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 175

Obtain Certificates

Certificate Management

Generate a Certificate on the Device (Continued)

Step 15 Select the check boxes that correspond to the intended use of the certificate on the firewall.
For example, if the firewall will use this certificate to secure forwarding of syslogs to an external syslog server,
select the Certificate for Secure Syslog check box.
Step 16 Click OK and Commit.

176 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Certificate Management

Obtain Certificates

Import a Certificate and Private Key


If your enterprise has its own public key infrastructure (PKI), you can import a certificate and private key into
the firewall from your enterprise certificate authority (CA). Enterprise CA certificates (unlike most certificates
purchased from a trusted, third-party CA) can automatically issue CA certificates for applications such as
SSL/TLS decryption or large-scale VPN.
On a Palo Alto Networks device, you can import self-signed certificates only if they are CA
certificates.
Instead of importing a self-signed root CA certificate into all the client systems, it is a best practice
to import a certificate from the enterprise CA because the clients will already have a trust
relationship with the enterprise CA, which simplifies the deployment.
If the certificate you will import is part of a certificate chain, it is a best practice to import the entire
chain.

Import a Certificate and Private Key

Step 1

From the enterprise CA, export the certificate and private key that the firewall will use for authentication.
When exporting a private key, you must enter a passphrase to encrypt the key for transport. Ensure the
management system can access the certificate and key files. When importing the key onto the firewall, you must
enter the same passphrase to decrypt it.

Step 2

Select Device > Certificate Management > Certificates > Device Certificates.

Step 3

If the device has more than one virtual system (vsys), select a Location (vsys or Shared) for the certificate.

Step 4

Click Import and enter a Certificate Name. The name is case-sensitive and can have up to 31 characters. It must
be unique and use only letters, numbers, hyphens, and underscores.

Step 5

To make the certificate available to all virtual systems, select the Shared check box. This check box appears only
if the device supports multiple virtual systems.

Step 6

Enter the path and name of the Certificate File received from the CA, or Browse to find the file.

Step 7

Select a File Format:


Encrypted Private Key and Certificate (PKCS12)This is the default and most common format, in which
the key and certificate are in a single container (Certificate File). If a hardware security module (HSM) will
store the private key for this certificate, select the Private key resides on Hardware Security Module check
box.
Base64 Encoded Certificate (PEM)You must import the key separately from the certificate. If a hardware
security module (HSM) stores the private key for this certificate, select the Private key resides on Hardware
Security Module check box and skip Step 8. Otherwise, select the Import Private Key check box, enter the
Key File or Browse to it, then perform Step 8.

Step 8

Enter and re-enter (confirm) the Passphrase used to encrypt the private key.

Step 9

Click OK. The Device Certificates page displays the imported certificate.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 177

Obtain Certificates

Certificate Management

Obtain a Certificate from an External CA


The advantage of obtaining a certificate from an external certificate authority (CA) is that the private key does
not leave the firewall. To obtain a certificate from an external CA, generate a certificate signing request (CSR)
and submit it to the CA. After the CA issues a certificate with the specified attributes, import it onto the firewall.
The CA can be a well-known, public CA or an enterprise CA.
To use Open Certificate Status Protocol (OCSP) for verifying the revocation status of the certificate, Configure
an OCSP Responder before generating the CSR.
Obtain a Certificate from an External CA

Step 1

Request the certificate from an external


CA.

1.
2.

Select Device > Certificate Management > Certificates >


Device Certificates.
If the device has more than one virtual system (vsys), select a
Location (vsys or Shared) for the certificate.

3.

Click Generate.

4.

Enter a Certificate Name. The name is case-sensitive and can


have up to 31 characters. It must be unique and use only letters,
numbers, hyphens, and underscores.
5. In the Common Name field, enter the FQDN (recommended)
or IP address of the interface where you will configure the
service that will use this certificate.
6. If the device has more than one vsys and you want the
certificate to be available to every vsys, select the Shared check
box.
7. In the Signed By field, select External Authority (CSR).
8. If applicable, select an OCSP Responder.
9. (Optional) Add the Certificate Attributes to uniquely identify
the firewall and the service that will use the certificate.
If you add a Host Name attribute, it is a best practice for
it to match the Common Name (this is mandatory for
GlobalProtect). The host name populates the Subject
Alternative Name field of the certificate.
10. Click Generate. The Device Certificates tab displays the CSR
with a Status of pending.
Step 2

Submit the CSR to the CA.

1.
2.

178 PAN-OS 7.0 Administrators Guide

Select the CSR and click Export to save the .csr file to a local
computer.
Upload the .csr file to the CA.

Palo Alto Networks

Certificate Management

Obtain Certificates

Obtain a Certificate from an External CA

Step 3

Import the certificate.

1.
2.
3.
4.

Step 4

Configure the certificate.

1.
2.

3.

Palo Alto Networks

After the CA sends a signed certificate in response to the CSR,


return to the Device Certificates tab and click Import.
Enter the Certificate Name used to generate the CSR in
Step 1-4.
Enter the path and name of the PEM Certificate File that the
CA sent, or Browse to it.
Click OK. The Device Certificates tab displays the certificate
with a Status of valid.
Click the certificate Name.
Select the check boxes that correspond to the intended use of
the certificate on the firewall. For example, if the firewall will
use this certificate to secure forwarding of syslogs to an external
syslog server, select the Certificate for Secure Syslog check
box.
Click OK and Commit.

PAN-OS 7.0 Administrators Guide 179

Export a Certificate and Private Key

Certificate Management

Export a Certificate and Private Key


Palo Alto Networks recommends that you use your enterprise public key infrastructure (PKI) to distribute a
certificate and private key in your organization. However, if necessary, you can also export a certificate and
private key from the firewall or Panorama. You can use an exported certificate and private key in the following
cases:

Administrator authentication to the device web interface

GlobalProtect agent/app authentication to portals and gateways

SSL Forward Proxy decryption

Certificate signing requests (CSRs)

Export a Certificate and Private Key

Step 1

Select Device > Certificate Management > Certificates > Device Certificates.

Step 2

If the device has more than one virtual system (vsys), select a Location (a specific vsys or Shared) for the
certificate.

Step 3

Select the certificate, click Export, and select a File Format:


Base64 Encoded Certificate (PEM)This is the default format. It is the most common and has the broadest
support on the Internet. If you want the exported file to include the private key, select the Export Private
Key check box.
Encrypted Private Key and Certificate (PKCS12)This format is more secure than PEM but is not as
common or as broadly supported. The exported file will automatically include the private key.
Binary Encoded Certificate (DER)More operating system types support this format than the others. You
can export only the certificate, not the key: ignore the Export Private Key check box and passphrase fields.

Step 4

Enter a Passphrase and Confirm Passphrase to encrypt the private key if the File Format is PKCS12 or if it
is PEM and you selected the Export Private Key check box. You will use this passphrase when importing the
certificate and key into client systems.

Step 5

Click OK and save the certificate/key file to your computer.

180 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Certificate Management

Configure a Certificate Profile

Configure a Certificate Profile


Certificate profiles define user and device authentication for Captive Portal, GlobalProtect, site-to-site IPSec
VPN, Mobile Security Manager, and web interface access to Palo Alto Networks devices. The profiles specify
which certificates to use, how to verify certificate revocation status, and how that status constrains access.
Configure a certificate profile for each application.
It is a best practice to enable Open Certificate Status Protocol (OCSP) and/or Certificate
Revocation List (CRL) status verification for certificate profiles. For details on these methods, see
Certificate Revocation.

Configure a Certificate Profile

Step 1

Obtain the certificate authority (CA)


certificates you will assign.

Perform one of the following steps to obtain the CA certificates you


will assign to the profile. You must assign at least one.
Generate a Certificate on the Device.
Export a certificate from your enterprise CA and then import it
onto the firewall (see Step 3).

Step 2

Identify the certificate profile.

1.
2.

3.
Step 3

Assign one or more certificates.

Select Device > Certificate Management > Certificates Profile


and click Add.
Enter a Name to identify the profile. The name is
case-sensitive, must be unique and can use up to 31 characters
that include only letters, numbers, spaces, hyphens, and
underscores.
If the device has more than one virtual system (vsys), select a
Location (vsys or Shared) for the certificate.

Perform the following steps for each CA certificate:


1. In the CA Certificates table, click Add.
2. Select a CA Certificate. Alternatively, to import a certificate,
click Import, enter a Certificate Name, Browse to the
Certificate File you exported from your enterprise CA, and
click OK.
3. Optionally, if the firewall uses OCSP to verify certificate
revocation status, configure the following fields to override the
default behavior. For most deployments, these fields do not
apply.
By default, the firewall uses the OCSP responder URL that
you set in the procedure Configure an OCSP Responder. To
override that setting, enter a Default OCSP URL (starting
with http:// or https://).
By default, the firewall uses the certificate selected in the CA
Certificate field to validate OCSP responses. To use a
different certificate for validation, select it in the OCSP
Verify CA Certificate field.
4.

Palo Alto Networks

Click OK. The CA Certificates table displays the assigned


certificate.

PAN-OS 7.0 Administrators Guide 181

Configure a Certificate Profile

Certificate Management

Configure a Certificate Profile

Step 4

Define the methods for verifying


certificate revocation status and the
associated blocking behavior.

1.

2.

3.

Select Use CRL and/or Use OCSP. If you select both, the
firewall first tries OCSP and falls back to the CRL method only
if the OCSP responder is unavailable.
Depending on the verification method, enter the CRL Receive
Timeout and/or OCSP Receive Timeout. These are the
intervals (1-60 seconds) after which the firewall stops waiting
for a response from the CRL/OCSP service.
Enter the Certificate Status Timeout. This is the interval (1-60
seconds) after which the firewall stops waiting for a response
from any certificate status service and applies any
session-blocking logic you define. The Certificate Status
Timeout relates to the OCSP/CRL Receive Timeout as
follows:
If you enable both OCSP and CRLThe firewall registers a
request timeout after the lesser of two intervals passes: the
Certificate Status Timeout value or the aggregate of the
two Receive Timeout values.
If you enable only OCSPThe firewall registers a request
timeout after the lesser of two intervals passes: the
Certificate Status Timeout value or the OCSP Receive
Timeout value.
If you enable only CRLThe firewall registers a request
timeout after the lesser of two intervals passes: the
Certificate Status Timeout value or the CRL Receive
Timeout value.

4.

5.

Step 5

Save and apply your entries.

182 PAN-OS 7.0 Administrators Guide

If you want the firewall to block sessions when the OCSP or


CRL service returns a certificate revocation status of unknown,
select the Block session if certificate status is unknown check
box. Otherwise, the firewall proceeds with the session.
If you want the firewall to block sessions after it registers an
OCSP or CRL request timeout, select the Block session if
certificate status cannot be retrieved within timeout check
box. Otherwise, the firewall proceeds with the session.

Click OK and Commit.

Palo Alto Networks

Certificate Management

Configure an SSL/TLS Service Profile

Configure an SSL/TLS Service Profile


SSL/TLS service profiles specify a certificate and the allowed protocol versions for the SSL/TLS services of
Palo Alto Networks devices. The devices use SSL/TLS for Captive Portal, GlobalProtect portals and gateways,
inbound traffic on the management (MGT) interface, the URL Admin Override feature, and the User-ID
syslog listening service. By defining the protocol versions, you can use a profile to restrict the cipher suites that
are available for securing communication with the clients requesting the services. This improves network
security by enabling devices to avoid SSL/TLS versions that have known weaknesses: if a service request
involves a protocol version that is outside the specified range, the device downgrades or upgrades the
connection to a supported version.
Configure an SSL/TLS Service Profile

Step 1

For each desired service, generate or import a certificate on the firewall (see Obtain Certificates).
Use only signed certificates, not certificate authority (CA) certificates, for SSL/TLS services.

Step 2

Select Device > Certificate Management > SSL/TLS Service Profile.

Step 3

If the device has more than one virtual system (vsys), select the Location (vsys or Shared) where the profile is
available.

Step 4

Click Add and enter a Name to identify the profile.

Step 5

Select the Certificate you just obtained.

Step 6

Define the range of protocols that the service can use:


For the Min Version, select the earliest allowed TLS version: TLSv1.0 (default), TLSv1.1, or TLSv1.2.
For the Max Version, select the latest allowed TLS version: TLSv1.0, TLSv1.1, TLSv1.2, or Max (latest
available version). The default is Max.

Step 7

Click OK and Commit.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 183

Configure the Key Size for SSL Forward Proxy Server Certificates

Certificate Management

Configure the Key Size for SSL Forward Proxy Server


Certificates
When responding to a client in an SSL Forward Proxy session, the firewall creates a copy of the certificate
presented to it by the destination server and uses it to establish its connection with the client. By default, the
firewall generates certificates with the same key size as the certificate presented by the destination server.
However, you can change the key size the firewall uses to generate certificates for establishing sessions between
itself and the clients as follows:
Configure the Key Size Used in SSL Forward Proxy Server Communications

Step 1

Select Device > Setup > Session and, in the Decryption Settings section, click SSL Forward Proxy Settings.

Step 2

Select a Key Size:


Defined by destination hostThe firewall determines the key size to in the certificates it generates to
establish SSL proxy sessions with clients based on the key size of the destination server certificate. If the
destination server uses a 1024-bit RSA key, the firewall generates a certificate with that key size and an SHA-1
hashing algorithm. If the destination server uses a key size larger than 1024 bits (for example, 2048 bits or
4096 bits), the firewall generates a certificate that uses a 2048-bit RSA key and SHA-256 algorithm. This is
the default setting.
1024-bit RSAThe firewall generates certificates that use a 1024-bit RSA key and SHA-1 hashing algorithm
regardless of the key size of the destination server certificates. As of December 31, 2013, public certificate
authorities (CAs) and popular browsers have limited support for X.509 certificates that use keys of fewer than
2048 bits. In the future, depending on security settings, when presented with such keys the browser might
warn the user or block the SSL/TLS session entirely.
2048-bit RSAThe firewall generates certificates that use a 2048-bit RSA key and SHA-256 hashing
algorithm regardless of the key size of the destination server certificates. Public CAs and popular browsers
support 2048-bit keys, which provide better security than the 1024-bit keys.
Changing the key size setting clears the current certificate cache.

Step 3

Click OK and Commit.

184 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Certificate Management

Revoke and Renew Certificates

Revoke and Renew Certificates

Revoke a Certificate

Renew a Certificate

Revoke a Certificate
Various circumstances can invalidate a certificate before the expiration date. Some examples are a change of
name, change of association between subject and certificate authority (for example, an employee terminates
employment), and compromise (known or suspected) of the private key. Under such circumstances, the
certificate authority (CA) that issued the certificate must revoke it. The following task describes how to revoke
a certificate for which the firewall is the CA.
Revoke a Certificate

Step 1

Select Device > Certificate Management > Certificates > Device Certificates.

Step 2

If the device supports multiple virtual systems, the tab displays a Location drop-down. Select the virtual system
to which the certificate belongs.

Step 3

Select the certificate to revoke.

Step 4

Click Revoke. PAN-OS immediately sets the status of the certificate to revoked and adds the serial number to
the Open Certificate Status Protocol (OCSP) responder cache or certificate revocation list (CRL). You need not
perform a commit.

Renew a Certificate
If a certificate expires, or soon will, you can reset the validity period. If an external certificate authority (CA)
signed the certificate and the firewall uses the Open Certificate Status Protocol (OCSP) to verify certificate
revocation status, the firewall uses the OCSP responder information to update the certificate status (see
Configure an OCSP Responder). If the firewall is the CA that issued the certificate, the firewall replaces it with
a new certificate that has a different serial number but the same attributes as the old certificate.
Renew a Certificate

Step 1

Select Device > Certificate Management > Certificates > Device Certificates.

Step 2

If the device has more than one virtual system (vsys), select a Location (vsys or Shared) for the certificate.

Step 3

Select a certificate to renew and click Renew.

Step 4

Enter a New Expiration Interval (in days).

Step 5

Click OK and Commit.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 185

Secure Keys with a Hardware Security Module

Certificate Management

Secure Keys with a Hardware Security Module


A hardware security module (HSM) is a physical device that manages digital keys. An HSM provides secure
storage and generation of digital keys. It provides both logical and physical protection of these materials from
non-authorized use and potential adversaries.
HSM clients integrated with Palo Alto Networks devices enable enhanced security for the private keys used in
SSL/TLS decryption (both SSL forward proxy and SSL inbound inspection). In addition, you can use the HSM
to encrypt device master keys.
The following topics describe how to integrate an HSM with your Palo Alto Networks devices:

Set up Connectivity with an HSM

Encrypt a Master Key Using an HSM

Store Private Keys on an HSM

Manage the HSM Deployment

186 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Certificate Management

Secure Keys with a Hardware Security Module

Set up Connectivity with an HSM


HSM clients are integrated with PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7000 Series, and VM-Series
firewalls and on Panorama (virtual appliance and M-Series appliance) for use with the following HSMs:

SafeNet Luna SA 5.2.1 or later

Thales Nshield Connect 11.62 or later


The HSM server version must be compatible with these client versions. Refer to the HSM vendor
documentation for the client-server version compatibility matrix.

The following topics describe how to set up connectivity between the Palo Alto Networks device and one of
the supported HSMs:

Set Up Connectivity with a SafeNet Luna SA HSM

Set Up Connectivity with a Thales Nshield Connect HSM

Set Up Connectivity with a SafeNet Luna SA HSM


To set up connectivity between the Palo Alto Networks device and a SafeNet Luna SA HSM, you must specify
the address of the HSM server and the password for connecting to it in the firewall configuration. In addition,
you must register the firewall with the HSM server. Prior to beginning the configuration, make sure you have
created a partition for the Palo Alto Networks devices on the HSM server.
HSM configuration is not synced between high availability firewall peers. Consequently, you must
configure the HSM module separately on each of the peers.
In Active-Passive HA deployments, you must manually perform one failover to configure and
authenticate each HA peer individually to the HSM. After this manual failover has been
performed, user interaction is not required for the failover function.

Set up a Connectivity with a SafeNet Luna SA HSM

Step 1

Configure the firewall to


communicate with the SafeNet
Luna SA HSM.

1.
2.
3.
4.

5.

6.

Palo Alto Networks

Log in to the firewall web interface and select Device > Setup > HSM.
Edit the Hardware Security Module Provider section and select Safenet
Luna SA as the Provider Configured.
Click Add and enter a Module Name. This can be any ASCII string up
to 31 characters in length.
Enter the IPv4 address of the HSM module as the Server Address.
If you are configuring a high availability HSM configuration, enter
module names and IP addresses for the additional HSM devices.
(Optional) If configuring a high availability HSM configuration, select
the High Availability check box and add the following: a value for Auto
Recovery Retry and a High Availability Group Name.
If two HSM servers are configured, you should configure high
availability. Otherwise the second HSM server is not used.
Click OK and Commit.

PAN-OS 7.0 Administrators Guide 187

Secure Keys with a Hardware Security Module

Certificate Management

Set up a Connectivity with a SafeNet Luna SA HSM (Continued)

Step 2

(Optional) Configure a service


route to enable the firewall to
connect to the HSM.

1.
2.
3.
By default, the firewall uses the 4.
Management Interface to
5.
communicate with the HSM. To
use a different interface, you must 6.
configure a service route.

7.
Step 3

Configure the firewall to


authenticate to the HSM.

1.
2.
3.
4.
5.

6.
Step 4

1.
Register the firewall (the HSM
client) with the HSM and assign it 2.
to a partition on the HSM.
If the HSM already has a
firewall with the same
<cl-name> registered, you
must remove the duplicate 3.
registration using the
following command
before registration will
succeed:

Select Device > Setup > Services.


Select Service Route Configuration from the Services Features area.
Select Customize from the Service Route Configuration area.
Select the IPv4 tab.
Select HSM from the Service column.
Select an interface to use for HSM from the Source Interface
drop-down.
If you select a dataplane connected port for HSM, issuing the
clear session all CLI command will clear all existing HSM
sessions, causing all HSM states to be brought down and then up.
During the several seconds required for HSM to recover, all
SSL/TLS operations will fail.
Click OK and Commit.
Select Device > Setup > HSM.
Select Setup Hardware Security Module in the Hardware Security
Operations area.
Select the HSM Server Name from the drop-down.
Enter the Administrator Password to authenticate the firewall to the
HSM.
Click OK.
The firewall attempts to perform an authentication with the HSM and
displays a status message.
Click OK.
Log in to the HSM from a remote system.
Register the firewall using the following command:
client register -c <cl-name> -ip <fw-ip-addr>

where <cl-name> is a name that you assign to the firewall for use on the
HSM and <fw-ip-addr> is the IP address of the firewall that is being
configured as an HSM client.
Assign a partition to the firewall using the following command:
client assignpartition -c <cl-name> -p <partition-name>

where <cl-name> is the name assigned to the firewall in the client


register command and <partition-name> is the name of a
previously configured partition that you want to assign to the firewall.

client delete -client


<cl-name>

where <cl-name> is the name of


the client (firewall) registration
you want to delete.

188 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Certificate Management

Secure Keys with a Hardware Security Module

Set up a Connectivity with a SafeNet Luna SA HSM (Continued)

Step 5

Configure the firewall to connect 1.


to the HSM partition.
2.
3.
4.
5.

Step 6

(Optional) Configure an
additional HSM for high
availability (HA).

1.

2.
Step 7

Verify connectivity with the


HSM.

1.
2.

3.

Select Device > Setup > HSM.


Click the Refresh icon.
Select the Setup HSM Partition in the Hardware Security Operations
area.
Enter the Partition Password to authenticate the firewall to the
partition on the HSM.
Click OK.
Follow Step 1 through Step 5 to add an additional HSM for high
availability (HA).
This process adds a new HSM to the existing HA group.
If you remove an HSM from your configuration, repeat Step 5.
This will remove the deleted HSM from the HA group.
Select Device > Setup > HSM.
Check the Status of the HSM connection:
GreenHSM is authenticated and connected.
RedHSM was not authenticated or network connectivity to the HSM
is down.
View the following columns in Hardware Security Module Status area to
determine authentication status:
Serial NumberThe serial number of the HSM partition if the HSM
was successfully authenticated.
PartitionThe partition name on the HSM that was assigned on the
firewall.
Module StateThe current operating state of the HSM. It always has
the value Authenticated if the HSM is displayed in this table.

Set Up Connectivity with a Thales Nshield Connect HSM


The following workflow describes how to configure the firewall to communicate with a Thales Nshield Connect
HSM. This configuration requires that you set up a remote filesystem (RFS) to use as a hub to sync key data for
all firewalls in your organization that are using the HSM.
HSM configuration is not synced between high availability firewall peers. Consequently, you must
configure the HSM module separately on each of the peers.
If the high availability firewall configuration is in Active-Passive mode, you must manually perform
one failover to configure and authenticate each HA peer individually to the HSM. After this manual
failover has been performed, user interaction is not required for the failover function.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 189

Secure Keys with a Hardware Security Module

Certificate Management

Set up Connectivity with a Thales Nshield Connect HSM

Step 1

Configure the Thales


1.
Nshield Connect server as
the firewalls HSM
2.
provider.
3.
4.

5.
6.
Step 2

(Optional) Configure a
1.
service route to enable the 2.
firewall to connect to the
3.
HSM.
4.
By default, the firewall
5.
uses the Management
Interface to communicate 6.

Select Device > Setup > Services.


Select Service Route Configuration from the Services Features area.
Select Customize from the Service Route Configuration area.

7.

Select the IPv4 tab.


Select HSM from the Service column.
Select an interface to use for HSM from the Source Interface drop-down.
If you select a dataplane connected port for HSM, issuing the clear
session all CLI command will clear all existing HSM sessions,
causing all HSM states to be brought down and then up. During the
several seconds required for HSM to recover, all SSL/TLS operations
will fail.
Click OK and Commit.

Register the firewall (the 1.


HSM client) with the HSM 2.
server.

Log in to the front panel display of the Thales Nshield Connect HSM unit.
On the unit front panel, use the right-hand navigation button to select System
> System configuration > Client config > New client.

with the HSM. To use a


different interface, you
must configure a service
route.

Step 3

From the firewall web interface, select Device > Setup > HSM and edit the
Hardware Security Module Provider section.
Select Thales Nshield Connect as the Provider Configured.
Click Add and enter a Module Name. This can be any ASCII string up to 31
characters in length.
Enter the IPv4 address as the Server Address of the HSM module.
If you are configuring a high availability HSM configuration, enter module
names and IP addresses for the additional HSM devices.
Enter the IPv4 address of the Remote Filesystem Address.
Click OK and Commit.

This step briefly describes


the procedure for using
the front panel interface of
the Thales Nshield
Connect HSM. For more
details, consult the Thales
documentation.
3.
4.

Enter the IP address of the firewall.


Select System > System configuration > Client config > Remote file system
and enter the IP address of the client computer where you set up the remote
file system.

190 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Certificate Management

Secure Keys with a Hardware Security Module

Set up Connectivity with a Thales Nshield Connect HSM (Continued)

Step 4

Set up the remote


filesystem to accept
connections from the
firewall.

1.
2.

Log in to the remote filesystem (RFS) from a Linux client.


Obtain the electronic serial number (ESN) and the hash of the KNETI key. The
KNETI key authenticates the module to clients:
anonkneti <ip-address>

where <ip-address> is the IP address of the HSM.


The following is an example:
anonkneti 192.0.2.1
B1E2-2D4C-E6A2 5a2e5107e70d525615a903f6391ad72b1c03352c

3.

In this example, B1E2-2D4C-E6A2 is the ESM and


5a2e5107e70d525615a903f6391ad72b1c03352c is the hash of the KNETI key.
Use the following command from a superuser account to perform the remote
filesystem setup:
rfs-setup --force <ip-address> <ESN> <hash-Kneti-key>

where <ip-address> is the IP address of the HSM,


<ESN> is the electronic serial number (ESN) and
<hash-Kneti-key> is the hash of the KNETI key.
The following example uses the values obtained in this procedure:
rfs-setup --force <192.0.2.1> <B1E2-2D4C-E6A2>
<5a2e5107e70d525615a903f6391ad72b1c03352c>

4.

Use the following command to permit client submit on the Remote Filesystem:
rfs-setup --gang-client --write-noauth <FW-IPaddress>

where <FW-IPaddress> is the IP address of the firewall.


Step 5

Configure the firewall to


authenticate to the HSM.

1.
2.
3.

4.
Step 6

Synchronize the firewall


with the remote
filesystem.

Palo Alto Networks

1.
2.

From the firewall web interface, select Device > Setup > HSM.
Select Setup Hardware Security Module in the Hardware Security Operations
area.
Click OK.
The firewall attempts to perform an authentication with the HSM and displays
a status message.
Click OK.
Select the Device > Setup > HSM.
Select Synchronize with Remote Filesystem in the Hardware Security
Operations section.

PAN-OS 7.0 Administrators Guide 191

Secure Keys with a Hardware Security Module

Certificate Management

Set up Connectivity with a Thales Nshield Connect HSM (Continued)

Step 7

Verify that the firewall can 1.


connect to the HSM.
2.

3.

Select Device > Setup > HSM.


Check the Status indicator to verify that the firewall is connected to the HSM:
GreenHSM is authenticated and connected.
RedHSM was not authenticated or network connectivity to the HSM is
down.
View the following columns in Hardware Security Module Status section to
determine authentication status.
Name: The name of the HSM attempting to be authenticated.
IP address: The IP address of the HSM that was assigned on the firewall.
Module State: The current operating state of the HSM: Authenticated or Not
Authenticated.

192 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Certificate Management

Secure Keys with a Hardware Security Module

Encrypt a Master Key Using an HSM


A master key is configured on a Palo Alto Networks firewall to encrypt all private keys and passwords. If you
have security requirements to store your private keys in a secure location, you can encrypt the master key using
an encryption key that is stored on an HSM. The firewall then requests the HSM to decrypt the master key
whenever it is required to decrypt a password or private key on the firewall. Typically, the HSM is located in a
highly secure location that is separate from the firewall for greater security.
The HSM encrypts the master key using a wrapping key. To maintain security, this encryption key must
occasionally be changed. For this reason, a command is provided on the firewall to rotate the wrapping key
which changes the master key encryption. The frequency of this wrapping key rotation depends on your
application.
Master key encryption using an HSM is not supported on firewalls configured in FIPS or CC
mode.

The following topics describe how to encrypt the master key initially and how to refresh the master key
encryption:

Encrypt the Master Key

Refresh the Master Key Encryption

Encrypt the Master Key


If you have not previously encrypted the master key on a device, use the following procedure to encrypt it. Use
this procedure for first time encryption of a key, or if you define a new master key and you want to encrypt it.
If you want to refresh the encryption on a previously encrypted key, see Refresh the Master Key Encryption.
Encrypt a Master Key Using an HSM

Step 1

Select Device > Master Key and Diagnostics.

Step 2

Specify the key that is currently used to encrypt all of the private keys and passwords on the firewall in the
Master Key field.

Step 3

If changing the master key, enter the new master key and confirm.

Step 4

Select the HSM check box.


Life Time: The number of days and hours after which the master key expires (range 1-730 days).
Time for Reminder: The number of days and hours before expiration when the user is notified of the
impending expiration (range 1-365 days).

Step 5

Click OK.

Refresh the Master Key Encryption


As a best practice, refresh the master key encryption on a regular basis by rotating the master key wrapping key
on the HSM. This command is the same for both the SafeNet Luna SA and Thales Nshield Connect HSMs.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 193

Secure Keys with a Hardware Security Module

Certificate Management

Refresh the Master Key Encryption

Step 1

Use the following CLI command to rotate the wrapping key for the master key on an HSM:
> request hsm mkey-wrapping-key-rotation

If the master key is encrypted on the HSM, the CLI command will generate a new wrapping key on the HSM
and encrypt the master key with the new wrapping key.
If the master key is not encrypted on the HSM, the CLI command will generate new wrapping key on the HSM
for future use.
The old wrapping key is not deleted by this command.

194 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Certificate Management

Secure Keys with a Hardware Security Module

Store Private Keys on an HSM


For added security, you can use an HSM to secure the private keys used in SSL/TLS decryption for:

SSL forward proxyThe HSM can store the private key of the CA certificate that is used to sign certificates
in SSL/TLS forward proxy operations. The firewall will then send the certificates that it generates during
such operations to the HSM for signing before forwarding them to the client.

SSL inbound inspectionThe HSM can store the private keys for the internal servers for which you are
performing SSL/TLS inbound inspection.

Store Private Keys on an HSM

Step 1

On the HSM, import or generate For instructions on importing or generating a private key on the HSM, refer
the private key used in your SSL to your HSM documentation.
forward proxy or SSL inbound
inspection deployment.

Step 2

(Thales Nshield Connect only)


Synchronize the key data from
the HSM remote file system to
the firewall.

Step 3

Import the certificate that


corresponds to the HSM-stored
key onto the firewall.

1.

Access the firewall web interface and select Device > Setup > HSM.

2.

Select Synchronize with Remote Filesystem in the Hardware Security


Operations section.

1.

Select Device > Certificate Management > Certificates > Device


Certificates and click Import.

2.
3.
4.
5.

Enter the Certificate Name.


Enter the filename of the Certificate File you imported to the HSM.
Select a File Format.
Select the Private Key resides on Hardware Security Module check
box.
Click OK and Commit.

6.
Step 4

Step 5

(Forward trust certificates only)


Enable the certificate for use in
SSL/TLS Forward Proxy.

1.

Select Device > Certificate Management > Certificates > Device


Certificates.

2.
3.
4.

Open the certificate you imported in Step 3 for editing.


Select the Forward Trust Certificate check box.
Click OK and Commit.

Verify that you successfully


1.
imported the certificate onto the
firewall.
2.

Select Device > Certificate Management > Certificates > Device


Certificates.
Locate the certificate you imported in Step 3 and check the icon in the
Key column:
Lock iconThe private key for the certificate is on the HSM.
Error iconThe private key is not on the HSM or the HSM is not
properly authenticated or connected.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 195

Secure Keys with a Hardware Security Module

Certificate Management

Manage the HSM Deployment


Manage HSM

View the HSM configuration


settings.

Select Device > Setup > HSM.

Display detailed HSM


information.

Select Show Detailed Information from the Hardware Security Operations section.

Export Support file.

Select Export Support File from the Hardware Security Operations section.

Information regarding the HSM servers, HSM HA status, and HSM hardware is
displayed.
A test file is created to help customer support when addressing a problem with an
HSM configuration on the firewall.

Reset HSM configuration.

Select Reset HSM Configuration from the Hardware Security Operations section.
Selecting this option removes all HSM connections. All authentication procedures
must be repeated after using this option.

196 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

High Availability
High availability (HA) is a configuration in which two firewalls are placed in a group and their configuration is
synchronized to prevent a single point of failure on your network. A heartbeat connection between the firewall
peers ensures seamless failover in the event that a peer goes down. Setting up two firewalls in an HA pair
provides redundancy and allows you to ensure business continuity.
The Palo Alto Networks firewalls support stateful active/passive or active/active high availability with session
and configuration synchronization. Some models of the Palo Alto Networks firewall, such as the PA-200 only
support HA lite without session synchronization capability, and the VM-Series firewall in AWS only supports
active/passive HA. The following topics provide more information about high availability and how to configure
it in your environment.

HA Overview

HA Concepts

Set Up Active/Passive HA

Reference: HA Synchronization

HA Resources

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 197

HA Overview

High Availability

HA Overview
On Palo Alto Networks firewalls, you can set up two firewalls as an HA pair. HA allows you to minimize
downtime by making sure that an alternate firewall is available in the event that the peer firewall fails. The
firewalls in an HA pair use dedicated or in-band HA ports on the firewall to synchronize datanetwork, object,
and policy configurationsand to maintain state information. Firewall-specific configuration such as
management interface IP address or administrator profiles, HA specific configuration, log data, and the
Application Command Center (ACC) information is not shared between peers. For a consolidated application
and log view across the HA pair, you must use Panorama, the Palo Alto Networks centralized management
system.
When a failure occurs on a firewall in an HA pair and the peer firewall takes over the task of securing traffic, the
event is called a failover. The conditions that trigger a failover are:

One or more of the monitored interfaces fail. (Link Monitoring)

One or more of the destinations specified on the firewall cannot be reached. (Path Monitoring)

The firewall does not respond to heartbeat polls. (Heartbeat Polling and Hello messages)

After you understand the HA Concepts, continue to Set Up Active/Passive HA.

198 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

High Availability

HA Concepts

HA Concepts
The following topics provide conceptual information about how HA works on a Palo Alto Networks firewall:

HA Modes

HA Links and Backup Links

Device Priority and Preemption

Failover Triggers

HA Timers

HA Modes
You can set up the firewalls for HA in two modes:

Active/Passive One firewall actively manages traffic while the other is synchronized and ready to
transition to the active state, should a failure occur. In this configuration, both firewalls share the same
configuration settings, and one actively manages traffic until a path, link, system, or network failure occurs.
When the active firewall fails, the passive firewall transitions to the active state and takes over seamlessly and
enforces the same policies to maintain network security. Active/passive HA is supported in the virtual wire,
Layer 2 and Layer 3 deployments. For information on setting up your firewalls in an active/passive
configuration, see Configure Active/Passive HA.
The PA-200 appliance only supports a lite version of active/passive HA. HA lite provides configuration synchronization and
some runtime data synchronization such as IPSec security associations. It does not support any session synchronization,
and therefore, HA Lite does not offer stateful failover.

Active/Active Both the firewalls in the pair are active and processing traffic, and work synchronously to
handle session setup and session ownership. The active/active deployment is supported in virtual wire and
Layer 3 deployments, and is only recommended for networks with asymmetric routing. For information on
setting up the firewalls in an active/active configuration, refer to the Active/Active High Availability Tech
Note.

HA Links and Backup Links


The firewalls in an HA pair use HA links to synchronize data and maintain state information. Some models of
the firewall have dedicated HA portsControl link (HA1) and Data link (HA2), while others require you to use
the in-band ports as HA links.
On firewalls with dedicated HA ports such as the PA-3000 Series, PA-4000 Series, PA-5000 Series, and PA-7000
Series firewalls (see HA Ports on the PA-7000 Series Firewall), use the dedicated HA ports to manage
communication and synchronization between the firewalls. For firewalls without dedicated HA ports such as
the PA-200, PA-500, and PA-2000 Series firewalls, as a best practice use the management port for the HA1 link
to allow for a direct connection between the management planes on the firewalls, and an in-band port for the
HA2 link.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 199

HA Concepts

High Availability

The HA1 and HA2 links provide synchronization for functions that reside on the management
plane. Using the dedicated HA interfaces on the management plane is more efficient than using
the in-band ports as this eliminates the need to pass the synchronization packets over the
dataplane.

Control Link: The HA1 link is used to exchange hellos, heartbeats, and HA state information, and
management plane sync for routing, and User-ID information. The firewalls also use this link to synchronize
configuration changes with its peer. The HA1 link is a Layer 3 link and requires an IP address.
Ports used for HA1: TCP port 28769 and 28260 for clear text communication; port 28 for encrypted
communication (SSH over TCP).

Data Link: The HA2 link is used to synchronize sessions, forwarding tables, IPSec security associations and
ARP tables between firewalls in an HA pair. Data flow on the HA2 link is always unidirectional (except for
the HA2 keep-alive); it flows from the active or active-primary firewall to the passive or active-secondary
firewall. The HA2 link is a Layer 2 link, and it uses ether type 0x7261 by default.
Ports used for HA2: The HA data link can be configured to use either IP (protocol number 99) or UDP
(port 29281) as the transport, and thereby allow the HA data link to span subnets.
Additionally, an HA3 link is used in Active/Active HA deployments. When there is an asymmetric route, the
HA3 link is used for forwarding packets to the HA peer that owns the session. The HA3 link is a Layer 2
link and it does not support Layer 3 addressing or encryption.

Backup Links: Provide redundancy for the HA1 and the HA2 links. In-band ports are used as backup links
for both HA1 and HA2. Consider the following guidelines when configuring backup HA links:

The IP addresses of the primary and backup HA links must not overlap each other.

HA backup links must be on a different subnet from the primary HA links.

HA1-backup and HA2-backup ports must be configured on separate physical ports. The HA1-backup
link uses port 28770 and 28260.
Palo Alto Networks recommends enabling heartbeat backup (uses port 28771 on the MGT
interface) if you use an in-band port for the HA1 or the HA1 backup links.

HA Ports on the PA-7000 Series Firewall


For HA connectivity on the PA-7000 Series, refer to the following table for details on which ports on the Switch
Management Card (SMC) are mandated and where ports on the Network Processing Card (NPC) are suitable.
For an overview of the Modules and Interface cards on the PA-7000 Series firewall, refer to the PA-7000 Series
Hardware Reference Guide.
The following ports on the SMC are designed for HA connectivity:

200 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

High Availability

HA Concepts

HA Links and
Backup Links

Ports on the SMC

Control Link

HA1-A

Description

Used for HA control and synchronization. Connect this port directly


Speed: Ethernet 10/100/1000 from the HA1-A port on the first firewall to the HA1-A on the second
firewall in the pair, or connect them together through a switch or
router.
HA1 cannot be configured on NPC data ports or the MGT port.

Control Link
Backup

HA1-B

Used for HA control and synchronization as a backup for HA1-A.


Speed: Ethernet 10/100/1000 Connect this port directly from the HA1-B port on the first firewall to
the HA1-B on the second firewall in the pair, or connect them together
port
through a switch or router.
HA1 Backup cannot be configured on NPC data ports or the MGT
port.

Data Link

HSCI-A
(High Speed Chassis
Interconnect)

Quad Port SFP (QSFP) interfaces used to connect two PA-7000 Series
firewalls in an HA configuration. Each port is comprised of four
10 gigabit links internally for a combined speed of 40 gigabits and is
used for HA2 data link in an active/passive configuration. When in
active/active mode, the port is also used for HA3 packet forwarding
for asymmetrically routed sessions that require Layer 7 inspection for
App-ID and Content-ID.
In a typical installation, HSCI-A on the first chassis connects directly
to HSCI-A on the second chassis and HSCI-B on the first chassis
connects to HSCI-B on the second chassis. This will provide full
80 gigabit transfer rates. In software, both ports (HSCI-A and HSCI-B)
are treated as one HA interface.
The HSCI ports are not routable and must be connected directly to
each other.
Palo Alto Networks recommends using the dedicated HSCI ports for
both HA2 and HA3 connections. However, the HA2 and HA3 links
can be configured on NPC data ports, if needed.

Data Link
Backup

HSCI-B
(High Speed Chassis
Interconnect)

The Quad Port SFP (QSFP) interfaces (see description above) in the
HSCI-B port is used to increase the bandwidth for HA2/HA3
purposes.
The HSCI ports are not routable and must be connected directly to
each other.
Palo Alto Networks recommends using the dedicated HSCI-B ports
for both HA2 and HA3 backup connections. The HA2/HA3 backup
link can be configured on the NPC data ports, if needed.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 201

HA Concepts

High Availability

Device Priority and Preemption


The firewalls in an HA pair can be assigned a device priority value to indicate a preference for which firewall should
assume the active or active-primary role. If you need to use a specific firewall in the HA pair for actively securing
traffic, you must enable the preemptive behavior on both the firewalls and assign a device priority value for each
firewall. The firewall with the lower numerical value, and therefore higher priority, is designated as active or
active-primary. The other firewall is the active-secondary or passive firewall.
By default, preemption is disabled on the firewalls and must be enabled on both firewalls. When enabled, the
preemptive behavior allows the firewall with the higher priority (lower numerical value) to resume as active or
active-primary after it recovers from a failure. When preemption occurs, the event is logged in the system logs.

Failover Triggers
When a failure occurs on one firewall and the peer takes over the task of securing traffic, the event is called a
failover. A failover is triggered when a monitored metric on a firewall in the HA pair fails. The metrics that are
monitored for detecting a firewall failure are:

Heartbeat Polling and Hello messages


The firewalls use hello message and heartbeats to verify that the peer firewall is responsive and operational.
Hello messages are sent from one peer to the other at the configured Hello Interval to verify the state of the
firewall. The heartbeat is an ICMP ping to the HA peer over the control link, and the peer responds to the
ping to establish that the firewalls are connected and responsive. By default, the interval for the heartbeat is
1000 milliseconds. For details on the HA timers that trigger a failover, see HA Timers.

Link Monitoring
The physical interfaces to be monitored are grouped into a link group and their state (link up or link down)
is monitored. A link group can contain one or more physical interfaces. A firewall failure is triggered when
any or all of the interfaces in the group fail. The default behavior is failure of any one link in the link group
will cause the firewall to change the HA state to non-functional to indicate a failure of a monitored object.

Path Monitoring
Monitors the full path through the network to mission-critical IP addresses. ICMP pings are used to verify
reachability of the IP address. The default interval for pings is 200ms. An IP address is considered
unreachable when 10 consecutive pings (the default value) fail, and a firewall failure is triggered when any or
all of the IP addresses monitored become unreachable. The default behavior is any one of the IP addresses
becoming unreachable will cause the firewall to change the HA state to non-functional to indicate a failure
of a monitored object.

In addition to the failover triggers listed above, a failover also occurs when the administrator places the firewall
is a suspended state or if preemption occurs.
On the PA-3000 Series, PA-5000 Series, and PA-7000 Series firewalls, a failover can occur when an internal
health check fails. This health check is not configurable and is enabled to verify the operational status for all the
components within the firewall.

202 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

High Availability

HA Concepts

HA Timers
High availability (HA) timers are used to detect a firewall failure and trigger a failover. To reduce the complexity
in configuring HA timers, you can select from three profiles: Recommended, Aggressive and Advanced. These
profiles auto-populate the optimum HA timer values for the specific firewall platform to enable a speedier HA
deployment.
Use the Recommended profile for typical failover timer settings and the Aggressive profile for faster failover
timer settings. The Advanced profile allows you to customize the timer values to suit your network requirements.
The following table describes each timer included in the profiles and the current preset values across the
different hardware models; these values are for current reference only and can change in a subsequent release.
Recommended/Aggressive HA Timer Values by Platform
Timers

Description

PA-7000 Series

PA-2000 Series

Panorama Virtual
Appliance

PA-5000 Series

PA-500 Series

PA-4000 Series

PA-200 Series

Panorama
M-Series

PA-3000 Series
VM-Series

Monitor fail hold up Interval during which the


time
firewall will remain active
following a path monitor or
link monitor failure. This
setting is recommended to
avoid an HA failover due to the
occasional flapping of
neighboring devices.

0/0

0/0

0/0

Preemption hold
time

Time that a passive or


active-secondary firewall will
wait before taking over as the
active or active-primary
firewall.

1/1

1/1

1/1

Heartbeat interval

Frequency at which the HA


peers exchange heartbeat
messages in the form of an
ICMP (ping).

1000/1000

2000/1000

2000/1000

Palo Alto Networks

2000/1000 (only for


VM-Series in AWS)

PAN-OS 7.0 Administrators Guide 203

HA Concepts

Timers

High Availability

Description

PA-7000 Series

PA-2000 Series

Panorama Virtual
Appliance

PA-5000 Series

PA-500 Series

PA-4000 Series

PA-200 Series

Panorama
M-Series

2000/500

2000/500

PA-3000 Series
VM-Series

Promotion hold time Time that the passive firewall 2000/500


(in active/passive mode) or the
active-secondary firewall (in
active/active mode) will wait
before taking over as the active
or active-primary firewall after
communications with the HA
peer have been lost. This hold
time will begin only after the
peer failure declaration has
been made.
Additional master
hold up time

Time interval that is applied to 500/500


the same event as Monitor Fail
Hold Up Time (range 0-60000
ms, default 500 ms). The
additional time interval is
applied only to the active
firewall in active/passive mode
and to the active-primary
firewall in active/active mode.
This timer is recommended to
avoid a failover when both
firewalls experience the same
link/path monitor failure
simultaneously.

500/500

7000/5000

Hello interval

Interval in milliseconds
8000/8000
between hello packets that are
sent to verify that the HA
functionality on the other
firewall is operational. The
range is 8000-60000 ms with a
default of 8000 ms for all
platforms.

8000/8000

8000/8000

204 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

High Availability

Timers

HA Concepts

Description

PA-7000 Series

PA-2000 Series

Panorama Virtual
Appliance

PA-5000 Series

PA-500 Series

PA-4000 Series

PA-200 Series

Panorama
M-Series

3/3

Not Applicable

PA-3000 Series
VM-Series

Maximum no. of
flaps

Palo Alto Networks

A flap is counted when the


3/3
firewall leaves the active state
within 15 minutes after it last
left the active state. This value
indicates the maximum
number of flaps that are
permitted before the firewall is
determined to be suspended
and the passive firewall takes
over (range 0-16; default 3).

PAN-OS 7.0 Administrators Guide 205

Set Up Active/Passive HA

High Availability

Set Up Active/Passive HA

Prerequisites for Active/Passive HA

Configuration Guidelines for Active/Passive HA

Configure Active/Passive HA

Define HA Failover Conditions

Verify Failover

206 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

High Availability

Set Up Active/Passive HA

Prerequisites for Active/Passive HA


To set up high availability on your Palo Alto Networks firewalls, you need a pair of firewalls that meet the
following requirements:

The same modelBoth the firewalls in the pair must be of the same hardware model or virtual machine
model.

The same PAN-OS versionBoth the firewalls should be running the same PAN-OS version and must
each be up-to-date on the application, URL, and threat databases. They must also both have the same
multiple virtual systems capability (single or multi vsys).

The same type of interfacesDedicated HA links, or a combination of the management port and
in-band ports that are set to interface type HA.

Determine the IP address for the HA1 (control) connection between the HA peers. The HA1 IP
address for both peers must be on the same subnet if they are directly connected or are connected to
the same switch.
For firewalls without dedicated HA ports, you can use the management port for the control connection.
Using the management port provides a direct communication link between the management planes on
both firewalls. However, because the management ports will not be directly cabled between the peers,
make sure that you have a route that connects these two interfaces across your network.

If you use Layer 3 as the transport method for the HA2 (data) connection, determine the IP address
for the HA2 link. Use Layer 3 only if the HA2 connection must communicate over a routed network.
The IP subnet for the HA2 links must not overlap with that of the HA1 links or with any other subnet
assigned to the data ports on the firewall.

The same set of licensesLicenses are unique to each firewall and cannot be shared between the
firewalls. Therefore, you must license both firewalls identically. If both firewalls do not have an identical
set of licenses, they cannot synchronize configuration information and maintain parity for a seamless
failover.
If you have an existing firewall and you want to add a new firewall for HA purposes and the new
firewall has an existing configuration, it is recommended that you Reset the Firewall to Factory
Default Settings on the new firewall. This will ensure that the new firewall has a clean
configuration. After HA is configured, you will then sync the configuration on the primary firewall
to the newly introduced firewall with the clean config.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 207

Set Up Active/Passive HA

High Availability

Configuration Guidelines for Active/Passive HA


To set up an active (PeerA) passive (PeerB) pair in HA, you must configure some options identically on both
firewalls and some independently (non-matching) on each firewall. These HA settings are not synchronized
between the firewalls. For details on what is/is not synchronized, refer to HA Synchronization.
To proceed with the instructions on configuring the firewalls in HA, see Configure Active/Passive HA.
The following table lists the settings that you must configure identically on both firewalls:
Identical Configuration Settings on PeerA and PeerB

HA must be enabled on both firewalls.


Both firewalls must have the same Group ID value. The Group ID value is used to create a virtual MAC address for
all the configured interfaces. The format of the virtual MAC is 00-1B-17:00: xx: yy where
00-1B-17: vendor ID; 00: fixed; xx: HA group ID; yy: interface ID.
When a new active firewall takes over, Gratuitous ARP messages are sent from each of the connected interfaces of the
new active member to inform the connected Layer 2 switches of the virtual MAC address new location.
If using in-band ports, the interfaces for the HA1 and HA2 links must be set to type HA.
The HA mode must be set to Active Passive.
If required, preemption must be enabled on both firewalls. The device priority value, however, must not be identical.
If required, encryption on the HA1 link (for communication between the HA peers) must be configured on both
firewalls.
Based on the combination of HA1 and HA1 Backup ports you are using, use the following recommendations to decide
whether you should enable heartbeat backup:
HA1: Dedicated HA1 port
HA1 Backup: In-band port
Recommendation: Enable Heartbeat Backup
HA1: Dedicated HA1 port
HA1 Backup: Management port
Recommendation: Do not enable Heartbeat Backup
HA1: In-band port
HA1 Backup: In-band port
Recommendation: Enable Heartbeat Backup
HA1: Management port
HA1 Backup: In-band port
Recommendation: Do not enable Heartbeat Backup

The following table lists the settings that must be configured independently on each firewall:

208 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

High Availability

Set Up Active/Passive HA

Independent
Configuration
Settings

PeerA

PeerB

Control Link

IP address of the HA1 link configured on this


firewall (PeerA).

IP address of the HA1 link configured on


this firewall (PeerB).

For firewalls without dedicated HA ports, use the management port IP address for the control
link.
Data Link

By default, the HA2 link uses Ethernet/Layer 2.

The data link


If using a Layer 3 connection, configure the IP
information is
address for the data link on this firewall (PeerA).
synchronized between
the firewalls after HA
is enabled and the
control link is
established between
the firewalls.

By default, the HA2 link uses


Ethernet/Layer 2.
If using a Layer 3 connection, configure the
IP address for the data link on this firewall
(PeerB).

Device Priority
The firewall you plan to make active must have a If PeerB is passive, set the device priority
(required, if
lower numerical value than its peer. So, if Peer A is value to a number larger than that on
preemption is enabled) to function as the active firewall, keep the default PeerA. For example, set the value to 110.
value of 100 and increment the value on PeerB.
Select the physical interfaces on the firewall that
Link Monitoring
Monitor one or more you would like to monitor and define the failure
physical interfaces that condition (all or any) to trigger a failover.
handle vital traffic on
this firewall and define
the failure condition.

Pick a similar set of physical interfaces that


you would like to monitor on this firewall
and define the failure condition (all or any)
to trigger a failover.

Path Monitoring
Monitor one or more
destination IP
addresses that the
firewall can use ICMP
pings to ascertain
responsiveness.

Pick a similar set of devices or destination


IP addresses that can be monitored for
determining the failover trigger for PeerB.
Define the failure condition (all or any),
ping interval and the ping count.

Define the failure condition (all or any), ping


interval and the ping count. This is particularly
useful for monitoring the availability of other
interconnected networking devices. For example,
monitor the availability of a router that connects to
a server, connectivity to the server itself, or some
other vital device that is in the flow of traffic.
Make sure that the node/device that you are
monitoring is not likely to be unresponsive,
especially when it comes under load, as this could
cause a a path monitoring failure and trigger a
failover.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 209

Set Up Active/Passive HA

High Availability

Configure Active/Passive HA
The following procedure shows how to configure a pair of firewalls in an active/passive deployment as depicted
in the following example topology.

Connect and Configure the Firewalls

Step 1

Connect the HA ports to set up a


physical connection between the
firewalls.

For firewalls with dedicated HA ports, use an Ethernet cable to


connect the dedicated HA1 ports and the HA2 ports on peers. Use
a crossover cable if the peers are directly connected to each other.
For firewalls without dedicated HA ports, select two data
interfaces for the HA2 link and the backup HA1 link. Then, use an
Ethernet cable to connect these in-band HA interfaces across both
firewalls.
Use the management port for the HA1 link and ensure that the
management ports can connect to each other across your network.

Pick a firewall in the pair and complete the following steps:

Step 2

Enable ping on the management port.

1.

Enabling ping allows the management


port to exchange heartbeat backup
information.

2.

210 PAN-OS 7.0 Administrators Guide

Select Device > Setup > Management and then click the Edit
icon in the Management Interface Settings section of the screen.
Select Ping as a service that is permitted on the interface.

Palo Alto Networks

High Availability

Set Up Active/Passive HA

Connect and Configure the Firewalls (Continued)

Step 3

Step 4

If the firewall does not have dedicated HA 1.


ports, set up the data ports to function as 2.
HA ports.
3.
For firewalls with dedicated HA ports
continue to the next step.

Select Network > Interfaces.


Confirm that the link is up on the ports that you want to use.
Select the interface and set Interface Type to HA.

4.

Set the Link Speed and Link Duplex settings, as appropriate.

1.

Select Device > High Availability > General and edit the Setup
section.
Set a Group ID and optionally a Description for the pair. The
Group ID uniquely identifies each HA pair on your network. If
you have have multiple HA pairs that share the same broadcast
domain you must set a unique Group ID for each pair.
Set the mode to Active Passive.

Set the HA mode and group ID.

2.

3.
Step 5

Set up the control link connection.

1.

This example shows an in-band port that


2.
is set to interface type HA.
3.
For firewalls that use the management
port as the control link, the IP address
information is automatically
pre-populated.

Step 6

(Optional) Enable encryption for the


control link connection.

1.

This is typically used to secure the link if


the two firewalls are not directly
connected, that is if the ports are
connected to a switch or a router.

Export the HA key from one firewall and import it into the peer
firewall.
a. Select Device > Certificate Management > Certificates.
b. Select Export HA key. Save the HA key to a network location
that the peer can access.
c. On the peer firewall, select Device > Certificate
Management > Certificates, and select Import HA key to
browse to the location that you saved the key and import it in
to the peer.

2.
3.

Palo Alto Networks

In Device > High Availability > General, edit the Control Link
(HA1) section.
Select the Port that you have cabled for use as the HA1 link.
Set the IPv4/IPv6 Address and Netmask.
If the HA1 interfaces are on separate subnets, enter the IP
address of the Gateway. Do not add a gateway address if the
firewalls are directly connected

Select Device > High Availability > General, edit the Control
Link (HA1) section.
Select Encryption Enabled.

PAN-OS 7.0 Administrators Guide 211

Set Up Active/Passive HA

High Availability

Connect and Configure the Firewalls (Continued)

Step 7

Set up the backup control link


connection.

1.
2.

Step 8

Set up the data link connection (HA2) and 1.


the backup HA2 connection between the
firewalls.
2.
3.

4.

5.
6.

7.

212 PAN-OS 7.0 Administrators Guide

In Device > High Availability > General, edit the Control Link
(HA1 Backup) section.
Select the HA1 backup interface and set the IPv4/IPv6 Address
and Netmask.

In Device > High Availability > General, edit the Data Link
(HA2) section.
Select the Port to use for the data link connection.
Select the Transport method. The default is ethernet, and will
work when the HA pair is connected directly or through a
switch. If you need to route the data link traffic through the
network, select IP or UDP as the transport mode.
If you use IP or UDP as the transport method, enter the
IPv4/IPv6 Address and Netmask..

Verify that Enable Session Synchronization is selected.


Select HA2 Keep-alive to enable monitoring on the HA2 data
link between the HA peers. If a failure occurs based on the
threshold that is set (default is 10000 ms), the defined action will
occur. For active/passive configuration, a critical system log
message is generated when an HA2 keep-alive failure occurs.
You can configure the HA2 keep-alive option on both
firewalls, or just one firewall in the HA pair. If the option
is only enabled on one firewall, only that firewall will
send the keep-alive messages. The other firewall will be
notified if a failure occurs.
Edit the Data Link (HA2 Backup) section, select the interface,
and add the IPv4/IPv6 Address and Netmask.

Palo Alto Networks

High Availability

Set Up Active/Passive HA

Connect and Configure the Firewalls (Continued)

Step 9

Enable heartbeat backup if your control


link uses a dedicated HA port or an
in-band port.

1.
2.

You do not need to enable heartbeat


backup if you are using the management
port for the control link.

Step 10 Set the device priority and enable


preemption.

1.

This setting is only required if you wish to 2.


make sure that a specific firewall is the
preferred active firewall. For information,
see Device Priority and Preemption.

3.

Step 11 (Optional) Modify the failover timers.

1.

By default, the HA timer profile is set to


the Recommended profile and is suited 2.
for most HA deployments.

Palo Alto Networks

In Device > High Availability > General, edit the Election


Settings.
Select Heartbeat Backup.
To allow the heartbeats to be transmitted between the firewalls,
you must verify that the management port across both peers can
route to each other.
Enabling heartbeat backup also allows you to prevent a
split-brain situation. Split brain occurs when the HA1
link goes down causing the firewall to miss heartbeats,
although the firewall is still functioning. In such a
situation, each peer believes that the other is down and
attempts to start services that are running, thereby
causing a split brain. When the heartbeat backup link is
enabled, split brain is prevented because redundant
heartbeats and hello messages are transmitted over the
management port.
In Device > High Availability > General, edit the Election
Settings.
Set the numerical value in Device Priority. Make sure to set a
lower numerical value on the firewall that you want to assign a
higher priority to.
If both firewalls have the same device priority value, the
firewall with the lowest MAC address on the HA1
control link will become the active firewall.
Select Preemptive.
You must enable preemptive on both the active firewall and the
passive firewall.
In Device > High Availability > General, edit the Election
Settings.
Select the Aggressive profile for triggering failover faster; select
Advanced to define custom values for triggering failover in your
set up.
To view the preset value for an individual timer included
in a profile, select Advanced and click Load
Recommended or Load Aggressive. The preset values
for your hardware model will be displayed on screen.

PAN-OS 7.0 Administrators Guide 213

Set Up Active/Passive HA

High Availability

Connect and Configure the Firewalls (Continued)

Step 12 (Optional, only configured on the passive Setting the link state to Auto allows for reducing the amount of time
firewall) Modify the link status of the HA it takes for the passive firewall to take over when a failover occurs
ports on the passive firewall.
and it allows you to monitor the link state.
The passive link state is shutdown,
by default. After you enable HA,
the link state for the HA ports on
the active firewall will be green and
those on the passive firewall will
be down and display as red.

Step 13 Enable HA.

To enable the link status on the passive firewall to stay up and reflect
the cabling status on the physical interface:
1. In Device > High Availability > General, edit the Active Passive
Settings.
2. Set the Passive Link State to Auto.
The auto option decreases the amount of time it takes for the
passive firewall to take over when a failover occurs.
Although the interface displays green (as cabled and up)
it continues to discard all traffic until a failover is
triggered.
When you modify the passive link state, make sure that
the adjacent devices do not forward traffic to the passive
firewall based only on the link status of the firewall.
1.
2.
3.

4.

5.
Step 14 Save your configuration changes.

Select Device > High Availability > General and edit the Setup
section.
Select Enable HA.
Select Enable Config Sync. This setting enables the
synchronization of the configuration settings between the active
and the passive firewall.
Enter the IP address assigned to the control link of the peer in
Peer HA1 IP Address.

For firewalls without dedicated HA ports, if the peer uses the


management port for the HA1 link, enter the management port
IP address of the peer.
Enter the Backup HA1 IP Address.

Click Commit.

Step 15 Complete Step 2 through Step 14 on the other firewall in the HA pair.

214 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

High Availability

Set Up Active/Passive HA

Connect and Configure the Firewalls (Continued)

Step 16 After you finish configuring both


firewalls, verify that the firewalls are
paired in active/passive HA.

1.
2.
3.

Access the Dashboard on both firewalls, and view the High


Availability widget.
On the active firewall, click the Sync to peer link.
Confirm that the firewalls are paired and synced, as shown
below:

On the passive firewall: the state of the local firewall On the active firewall: The state of the local firewall should display
should display passive and the Running Config
active and the Running Config should show as synchronized.
should show as synchronized.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 215

Set Up Active/Passive HA

High Availability

Define HA Failover Conditions


Configure the Failover Triggers

Step 1

To configure link monitoring, define the 1.


interfaces that you would like to monitor.
A change in the link state of these
2.
interface will trigger a failover.

Select Device > High Availability > Link and Path Monitoring
and Add a Link Group.
Name the Link Group, Add the interfaces to monitor, and select
the Failure Condition for the group. The Link group you define
is added to the Link Group section.

Step 2

(Optional) Modify the failure condition 1.


for the Link Groups that you configured 2.
(in the preceding step) on the firewall.

Select the Link Monitoring section.


Set the Failure Condition to All.
The default setting is Any.

By default, the firewall will trigger a


failover when any monitored link fails.
Step 3

Step 4

To configure path monitoring, define the 1.


destination IP addresses that the firewall
should ping to verify network
connectivity.
2.

(Optional) Modify the failure condition


for all Path Groups configured on the
firewall.

In the Path Group section of the Device > High Availability >
Link and Path Monitoring tab, pick the Add option for your set
up: Virtual Wire, VLAN, or Virtual Router.
Select the appropriate item from the drop-down for the Name
and Add the IP addresses (source and/or destination, as
prompted) that you wish to monitor. Then select the Failure
Condition for the group. The path group you define is added to
the Path Group section.

Set the Failure Condition to All.


The default setting is Any.

By default, the firewall will trigger a


failover when any monitored path fails.
Step 5

Save your changes.

216 PAN-OS 7.0 Administrators Guide

Click Commit.

Palo Alto Networks

High Availability

Set Up Active/Passive HA

If you are using SNMPv3 to monitor the firewalls, note that the SNMPv3 Engine ID is unique to each firewall; the
EngineID is not synchronized between the HA pair and, therefore, allows you to independently monitor each
firewall in the HA pair. For information on setting up SNMP, see Forward Traps to an SNMP Manager.
Because the EngineID is generated using the firewall serial number, on the VM-Series firewall you must apply a
valid license in order to obtain a unique EngineID for each firewall.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 217

Set Up Active/Passive HA

High Availability

Verify Failover
To test that your HA configuration works properly, trigger a manual failover and verify that the firewalls
transition states successfully.
Verify Failover

Step 1

Suspend the active firewall.

Select Device > High Availability > Operational Commands and


click the Suspend local device link.

Step 2

Verify that the passive firewall has taken


over as active.

On the Dashboard, verify that the state of the passive firewall


changes to active in the High Availability widget.

Step 3

Restore the suspended firewall to a


1.
functional state. Wait for a couple
minutes, and then verify that preemption
has occurred, if preemptive is enabled.

On the firewall you previously suspended, select Device > High


Availability > Operational Commands and click the Make local
device functional link.

2.

In the High Availability widget on the Dashboard, confirm that


the firewall has taken over as the active firewall and that the peer
is now in a passive state.

218 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

High Availability

Reference: HA Synchronization

Reference: HA Synchronization
If you have enabled configuration synchronization on both peers in an HA pair, most of the configuration
settings you configure on one peer will automatically sync to the other peer upon commit. To avoid
configuration conflicts, always make configuration changes on the active (active/passive) or active-primary
(active/active) peer and wait for the changes to sync to the peer before making any additional configuration
changes.
The following topics identify what portions of a firewall configuration must be configured on each device
independently (rather than synchronized from the HA peer).

What Settings Dont Sync in Active/Passive HA?

What Settings Dont Sync in Active/Active HA?

Synchronization of System Runtime Information

What Settings Dont Sync in Active/Passive HA?


You must configure the following settings on each firewall in an HA pair in an active/passive deployment. These
settings do not sync from one peer to another:
Configuration Item

What Doesnt Sync in Active/Passive?

Management Interface
Settings

All management configuration settings must be configured individually on each device,


including:
Device > Setup > Management > General SettingsHostname, Domain, Login
Banner, Time Zone, Locale, Date, Time, Latitude, Longitude
Device > Setup > Management > Management Interface SettingsIP Address,
Netmask, Default Gateway, IPv6 Address/Prefix Length, Default IPv6 Gateway,
Speed, MTU, and Services (HTTP, HTTP OCSP, HTTPS, Telnet, SSH, Ping,
SNMP, User-ID, User-ID Syslog Listener-SSL, User-ID Syslog Listener-UDP)

Multi-vsys Capability

To enable multi-vsys you must activate the Virtual Systems license (required to
enable support for multiple virtual systems on PA-2000 Series and PA-3000
Series firewalls or to increase the number of virtual systems beyond the base
number provided by default on PA-4000 Series, PA-5000 Series, and PA-7000
Series firewalls) on each firewall in the pair.
In addition, you must also enable Multi Virtual System Capability on each
firewall (Device > Setup > Management > General Settings).

Administrator Authentication
Settings

Panorama Settings

You must define the authentication profile and certificate profile for administrative
access to the firewall locally on each firewall (Device > Setup > Management >
Authentication).
Set the following Panorama settings on each firewall (Device > Setup >
Management > Panorama Settings).
Panorama Servers

Disable Panorama Policy and Objects and Disable Device and Network Template

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 219

Reference: HA Synchronization

High Availability

Configuration Item

What Doesnt Sync in Active/Passive?

SNMP

Device > Setup > Operations > SNMP Setup

Statistics Collection

Device > Setup > Operations > Statistics Service Setup

Services

Device > Setup > Services

Global Service Routes

Device > Setup > Services > Service Route Configuration

Data Protection

Device > Setup > Content-ID > Manage Data Protection

Jumbo Frames

Device > Setup > Session > Session Settings > Enable Jumbo Frame

Forward Proxy Server


Certificate Settings

Device > Setup > Session > Decryption Settings > SSL Forward Proxy Settings

Master Key Secured by HSM Device > Setup > HSM > Hardware Security Module Provider > Master Key
Secured by HSM
Log Export Settings

Device > Scheduled Log Export

Software Updates

With software updates, you can either download and install them separately on each
device, or download them on one peer and sync the update to the other peer. You must
install the update on each peer.
Device > Software

GlobalProtect Agent Package With GlobalProtect client updates, you can either download and install them separately

on each device, or download them to one peer and sync the update to the other peer.
You must activate separately on each peer.
Device > GlobalProtect Client
Content Updates

With content updates, you can either download and install them separately on each
device, or download them on one peer and sync the update to the other peer. You must
install the update on each peer.
Device > Dynamic Updates

Licenses/Subscriptions

Device > Licenses

Support Subscription

Device > Support

Master Key

The master key must be identical on each firewall in the HA pair, but you must
manually enter it on each device (Device > Master Key and Diagnostics).
Before changing the master key, you must disable config sync on both peers (Device >
High Availability > General > Setup and clear the Enable Config Sync check box) and
then re-enable it after you change the keys.

Reports, logs, and Dashboard Log data, reports, and Dashboard data and settings (column display, widgets) are not
Settings
synced between peers. Report configuration settings, however, are synced.

220 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

High Availability

Reference: HA Synchronization

What Settings Dont Sync in Active/Active HA?


You must configure the following settings on each firewall in an HA pair in an active/active deployment. These
settings do not sync from one peer to another:
Configuration Item

What Doesnt Sync?

Management Interface
Settings

All management configuration settings must be configured individually on each device,


including:
Device > Setup > Management > General SettingsHostname, Domain, Login
Banner, Time Zone, Locale, Date, Time, Latitude, Longitude
Device > Setup > Management > Management Interface SettingsIP Address,
Netmask, Default Gateway, IPv6 Address/Prefix Length, Default IPv6 Gateway,
Speed, MTU, and Services (HTTP, HTTP OCSP, HTTPS, Telnet, SSH, Ping,
SNMP, User-ID, User-ID Syslog Listener-SSL, User-ID Syslog Listener-UDP)

Multi-vsys Capability

To enable multi-vsys you must activate the Virtual Systems license (required to
enable support for multiple virtual systems on PA-2000 Series and PA-3000
Series firewalls or to increase the number of virtual systems beyond the base
number provided by default on PA-4000 Series, PA-5000 Series, and PA-7000
Series firewalls) on each firewall in the pair.
In addition, you must also enable Multi Virtual System Capability on each
firewall (Device > Setup > Management > General Settings).

Administrator Authentication
Settings

Panorama Settings

You must define the authentication profile and certificate profile for administrative
access to the firewall locally on each firewall (Device > Setup > Management >
Authentication).
Set the following Panorama settings on each firewall (Device > Setup >
Management > Panorama Settings).
Panorama Servers

Disable Panorama Policy and Objects and Disable Device and Network Template
SNMP

Device > Setup > Operations > SNMP Setup

Statistics Collection

Device > Setup > Operations > Statistics Service Setup

Services

Device > Setup > Services

Global Service Routes

Device > Setup > Services > Service Route Configuration

Data Protection

Device > Setup > Content-ID > Manage Data Protection

Jumbo Frames

Device > Setup > Session > Session Settings > Enable Jumbo Frame

Forward Proxy Server


Certificate Settings

Device > Setup > Session > Decryption Settings > SSL Forward Proxy Settings

HSM Configuration

Device > Setup > HSM

Log Export Settings

Device > Scheduled Log Export

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 221

Reference: HA Synchronization

High Availability

Configuration Item

What Doesnt Sync?

Software Updates

With software updates, you can either download and install them separately on each
device, or download them on one peer and sync the update to the other peer. You must
install the update on each peer.
Device > Software

GlobalProtect Agent Package With GlobalProtect client updates, you can either download and install them separately

on each device, or download them to one peer and sync the update to the other peer.
You must activate separately on each peer.
Device > GlobalProtect Client
Content Updates

With content updates, you can either download and install them separately on each
device, or download them on one peer and sync the update to the other peer. You must
install the update on each peer.
Device > Dynamic Updates

Licenses/Subscriptions

Device > Licenses

Support Subscription

Device > Support

Ethernet Interface IP
Addresses

> Interface > Ethernet).

Loopback Interface IP
Addresses

All Loopback interface configuration settings sync except for the IP address (Network
> Interface > Loopback).

Tunnel Interface IP
Addresses

All Tunnel interface configuration settings sync except for the IP address (Network >
Interface > Tunnel).

LACP System Priority

Each peer must have a unique LACP System ID in an active/active deployment


(Network > Interface > Ethernet > Add Aggregate Group > System Priority).

VLAN Interface IP Address

All Ethernet interface configuration settings sync except for the IP address (Network

All VLAN interface configuration settings sync except for the IP address (Network >
Interface > VLAN).

Virtual Routers

Virtual router configuration synchronizes only if you have enabled VR Sync (Device >
High Availability > Active/Active Config > Packet Forwarding). Whether or not to do
this depends on your network design, including whether you have asymmetric routing.

IPSec Tunnels

IPSec tunnel configuration synchronization is dependent on whether you have


configured the Virtual Addresses to use Floating IP addresses (Device > High
Availability > Active/Active Config > Virtual Address). If you have configured a
floating IP address, these settings sync automatically. Otherwise, you must configure
these settings independently on each peer.

GlobalProtect Portal
Configuration

GlobalProtect portal configuration synchronization is dependent on whether you have


configured the Virtual Addresses to use Floating IP addresses (Network >
GlobalProtect > Portals). If you have configured a floating IP address, the
GlobalProtect portal configuration settings sync automatically. Otherwise, you must
configure the portal settings independently on each peer.

222 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

High Availability

Reference: HA Synchronization

Configuration Item

What Doesnt Sync?

GlobalProtect Gateway
Configuration

GlobalProtect gateway configuration synchronization is dependent on whether you


have configured the Virtual Addresses to use Floating IP addresses (Network >
GlobalProtect > Gateways). If you have configured a floating IP address, the
GlobalProtect gateway configuration settings sync automatically. Otherwise, you must
configure the gateway settings independently on each peer.

QoS

QoS configuration synchronizes only if you have enabled QoS Sync (Device > High
Availability > Active/Active Config > Packet Forwarding). You might choose not to
sync QoS setting if, for example, you have different bandwidth on each link or different
latency through your service providers.

LLDP

No LLDP state or individual firewall data is synchronized in an active/active


configuration (Network > LLDP).

IKE Gateways

IKE gateway configuration synchronization is dependent on whether you have


configured the Virtual Addresses to use floating IP addresses (Network > IKE
Gateways). If you have configured a floating IP address, the IKE gateway
configuration settings sync automatically. Otherwise, you must configure the IKE
gateway settings independently on each peer.

Master Key

The master key must be identical on each firewall in the HA pair, but you must
manually enter it on each device (Device > Master Key and Diagnostics).
Before changing the master key, you must disable config sync on both peers (Device >
High Availability > General > Setup and clear the Enable Config Sync check box) and
then re-enable it after you change the keys.

Reports, logs, and Dashboard Log data, reports, and dashboard data and settings (column display, widgets) are not
Settings
synced between peers. Report configuration settings, however, are synced.

Synchronization of System Runtime Information

Runtime Information

Config Synced?

HA Link

A/P

A/A

User to Group Mappings

Yes

Yes

HA1

DHCP Lease (as server)

Yes

Yes

HA1

DNS Cache

Yes

Yes

HA1

FQDN Refresh

No

No

HA1

IKE Keys (phase 2)

Yes

Yes

HA1

BrightCloud URL Database

No

No

N/A

Details

Management Plane

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 223

Reference: HA Synchronization

Runtime Information

High Availability

Config Synced?

HA Link

Details

A/P

A/A

BrightCloud URL Cache

No

No

N/A

This feature is disabled by default and must


be enabled separately on each HA peer.

BrightCloud Bloom Filter

No

No

N/A

This feature is disabled by default and must


be enabled separately on each HA peer.

PAN-DB URL Cache

Yes

No

HA1

This is synchronized upon database backup


to disk (every eight hours, when URL
database version updates), or when the
firewall reboots.

Content (manual sync)

Yes

Yes

HA1

PPPoE, PPPoE Lease

Yes

Yes

HA1

DHCP Client Settings and


Lease

Yes

Yes

HA1

SSL VPN Logged in User List Yes

Yes

HA1

Yes

Yes

HA1

Yes

Yes

HA2

Forward Information Base


(FIB)
Dataplane
Session Table

Active/passive peers do not sync ICMP


or host session information.
Active/active peers do not sync host
session or multicast session information.

ARP Table

Yes

No

HA2

Neighbor Discovery (ND)


Table

Yes

No

HA2

MAC Table

Yes

No

HA2

IPSec Sequence Number


(anti-replay)

Yes

Yes

HA2

DoS Protection

Yes

Yes

HA2

User to IP Address Mappings Yes

Yes

HA2

Yes

Yes

HA2

Virtual MAC

224 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

High Availability

HA Resources

HA Resources
For more information on HA, refer to the following sources:

Active/Active HA

High Availability Failover Optimization

Upgrading an HA pair

Examples: Deploying HA

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 225

HA Resources

226 PAN-OS 7.0 Administrators Guide

High Availability

Palo Alto Networks

Monitoring
In order to forestall potential issues, and accelerate incidence response when needed, the firewall provides
intelligence on traffic and user patterns and customizable and informative reports. The dashboard, Application
Command Center (ACC), reports, and logs on the firewall allow you to monitor activity on your network. You
can monitor the logs and filter the information to generate reports with predefined or customized views. You
can, for example, use the predefined templates to generate reports on user activities, or analyze the reports and
logs to interpret unusual behavior on your network and generate a custom report on the traffic pattern. For a
visually engaging presentation of network activity, the dashboard and the ACC include widgets, charts, and
tables that you can interact with to find information that you care about. In addition, you can configure the
firewall to forward monitored information as email notifications, syslog messages, SNMP traps, and NetFlow
records to external services.

Use the Dashboard

Use the Application Command Center

App Scope

Use the Automated Correlation Engine

Take Packet Captures

Monitor Applications and Threats

Monitor and Manage Logs

Manage Reporting

Use External Services for Monitoring

Configure Log Forwarding

Configure Email Alerts

Use Syslog for Monitoring

SNMP Monitoring and Traps

NetFlow Monitoring

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 219

Use the Dashboard

Monitoring

Use the Dashboard


The Dashboard tab widgets show general device information, such as the software version, the operational status
of each interface, resource utilization, and up to 10 of the most recent entries in the threat, configuration, and
system logs. All of the available widgets are displayed by default, but each administrator can remove and add
individual widgets, as needed. Click the refresh icon
to update the dashboard or an individual widget. To
change the automatic refresh interval, select an interval from the drop-down (1 min, 2 mins, 5 mins, or Manual).
To add a widget to the dashboard, click the widget drop-down, select a category and then the widget name. To
delete a widget, click
in the title bar. The following table describes the dashboard widgets.
Dashboard Charts

Descriptions

Top Applications

Displays the applications with the most sessions. The block size indicates the relative
number of sessions (mouse-over the block to view the number), and the color indicates the
security riskfrom green (lowest) to red (highest). Click an application to view its
application profile.

Top High Risk Applications

Similar to Top Applications, except that it displays the highest-risk applications with the
most sessions.

General Information

Displays the device name, model, PAN-OS software version, the application, threat, and
URL filtering definition versions, the current date and time, and the length of time since the
last restart.

Interface Status

Indicates whether each interface is up (green), down (red), or in an unknown state (gray).

Threat Logs

Displays the threat ID, application, and date and time for the last 10 entries in the Threat
log. The threat ID is a malware description or URL that violates the URL filtering profile.

Config Logs

Displays the administrator username, client (Web or CLI), and date and time for the last 10
entries in the Configuration log.

Data Filtering Logs

Displays the description and date and time for the last 60 minutes in the Data Filtering log.

URL Filtering Logs

Displays the description and date and time for the last 60 minutes in the URL Filtering log.

System Logs

Displays the description and date and time for the last 10 entries in the System log.
A Config installed entry indicates configuration changes were committed
successfully.

System Resources

Displays the Management CPU usage, Data Plane usage, and the Session Count, which
displays the number of sessions established through the firewall.

Logged In Admins

Displays the source IP address, session type (Web or CLI), and session start time for each
administrator who is currently logged in.

ACC Risk Factor

Displays the average risk factor (1 to 5) for the network traffic processed over the past week.
Higher values indicate higher risk.

High Availability

If high availability (HA) is enabled, indicates the HA status of the local and peer device
green (active), yellow (passive), or black (other). For more information about HA, see High
Availability.

Locks

Shows configuration locks taken by administrators.

220 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Use the Application Command Center

Use the Application Command Center


The Application Command Center (ACC) is an interactive, graphical summary of the applications, users, URLs,
threats, and content traversing your network.The ACC uses the firewall logs to provide visibility into traffic
patterns and actionable information on threats. The ACC layout includes a tabbed view of network activity,
threat activity, and blocked activity and each tab includes pertinent widgets for better visualization of network
traffic. The graphical representation allows you to interact with the data and visualize the relationships between
events on the network, so that you can uncover anomalies or find ways to enhance your network security rules.
For a personalized view of your network, you can also add a custom tab and include widgets that allow you to
drill down into the information that is most important to you.

ACCFirst Look

ACC Tabs

ACC Widgets (Widget Descriptions)

ACC Filters

Interact with the ACC

Use Case: ACCPath of Information Discovery

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 221

Use the Application Command Center

Monitoring

ACCFirst Look
Take a quick tour of the ACC.

ACCFirst Look
Tabs

The ACC includes three predefined tabs that provide visibility into network traffic,
threat activity, and blocked activity. For information on each tab, see ACC Tabs.

Widgets

Each tab includes a default set of widgets that best represent the events/trends
associated with the tab. The widgets allow you to survey the data using the following
filters:
bytes (in and out)
sessions
content (files and data)
URL categories
threats (and count)
For information on each widget, see ACC Widgets.

222 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Use the Application Command Center

ACCFirst Look (Continued)


Time

The charts or graphs in each widget provide a summary and historic view. You can
choose a custom range or use the predefined time periods that range from the last 15
minutes up to the last 30 days or last 30 calendar days. The selected time period applies
across all tabs in the ACC.
The time period used to render data, by default, is the Last Hour updated in 15 minute
intervals. The date and time interval are displayed onscreen, for example at 11:40, the
time range is 01/12 10:30:00-01/12 11:29:59.

Global Filters

The Global Filters allow you to set the filter across all widgets and all tabs. The
charts/graphs apply the selected filters before rendering the data. For information on
using the filters, see ACC Filters.

Risk Factor

The risk factor (1=lowest to 5=highest) indicates the relative risk based on the
applications used on your network. The risk factor uses a variety of factors to assess
the associated risk levels, such as whether the application can share files, is it prone to
misuse or does it try to evade firewalls, it also factors in the threat activity and malware
as seen through the number of blocked threats, compromised hosts or traffic to
malware hosts/domains.

Source

The data segment used for the display. The options vary on the firewall and on
Panorama.
On the firewall, if enabled for multiple virtual systems, you can use the Virtual System
drop-down to change the ACC display to include all virtual systems or just a selected
virtual system.
On Panorama, you can select the Device Group drop-down to change the ACC display
to include all device groups or just a selected device group.
Additionally, on Panorama, you can change the Data Source as Panorama data or
Remote Device Data. Remote Device Data is only available when all the managed
firewalls are on PAN-OS 7.0.0 or later. When you filter the display for a specific device
group, Panorama data is used as the data source.

Export

Palo Alto Networks

You can export the widgets displayed in the currently selected tab as a PDF. The PDF
is downloaded and saved to the downloads folder associated with your web browser,
on your computer.

PAN-OS 7.0 Administrators Guide 223

Use the Application Command Center

Monitoring

ACC Tabs
The ACC includes the following predefined tabs for viewing network activity, threat activity, and blocked activity.
Tab

Description

Network Activity

Displays an overview of traffic and user activity on your network including:


Top applications in use
Top users who generate traffic (with a drill down into the bytes, content, threats or
URLs accessed by the user)
Most used security rules against which traffic matches occur
In addition, you can also view network activity by source or destination zone, region,
or IP address, ingress or egress interfaces, and GlobalProtect host information such as
the operating systems of the devices most commonly used on the network.

Threat Activity

Displays an overview of the threats on the network, focusing on the top threats:
vulnerabilities, spyware, viruses, hosts visiting malicious domains or URLs, top
WildFire submissions by file type and application, and applications that use
non-standard ports. The Compromised Hosts widget in this tab (the widget is
supported on some platforms only), supplements detection with better visualization
techniques; it uses the information from the correlated events tab (Automated
Correlation Engine > Correlated Events) to present an aggregated view of
compromised hosts on your network by source users/IP addresses and sorted by
severity.

Blocked Activity

Focuses on traffic that was prevented from coming into the network. The widgets in
this tab allow you to view activity denied by application name, username, threat name,
blocked contentfiles and data that were blocked by a file blocking profile. It also lists
the top security rules that were matched on to block threats, content, and URLs.

You can also Interact with the ACC to create customized tabs with custom layout and widgets that meet your
network monitoring needs.

224 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Use the Application Command Center

ACC Widgets
The widgets on each tab are interactive; you can set the ACC Filters and drill down into the details for each table
or graph, or customize the widgets included in the tab to focus on the information you need. For details on what
each widget displays, see Widget Descriptions.

Widgets
View

You can sort the data by bytes, sessions, threats, count, content, URLs, malicious, benign,
files, data, profiles, objects. The available options vary by widget.

Graph

The graphical display options are treemap, line graph, horizontal bar graph, stacked area
graph, stacked bar graph, and map. The available options vary by widget; the interaction
experience also varies with each graph type. For example, the widget for Applications
using Non-Standard Ports allows you to choose between a treemap and a line graph.
To drill down into the display, click into the graph. The area you click into becomes a filter
and allows you to zoom into the selection and view more granular information on the
selection.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 225

Use the Application Command Center

Monitoring

Widgets
Table

The detailed view of the data used to render the graph is provided in a table below the
graph. You can interact with the table in several ways:
Click and set a local filter for an attribute in the table. The graph is updated and the
table is sorted using the local filter. The information displayed in the graph and the
table are always synchronized.
Hover over the attribute in the table and use the options available in the drop-down.

Actions

Maximize view Allows you enlarge the widget and view the table in a larger
screen space and with more viewable information.
Set up local filtersAllows you to add ACC Filters to refine the display within the
widget. Use these filters to customize the widgets; these customizations are retained
between logins.
Jump to logsAllows you to directly navigate to the logs (Monitor > Logs > Log type
tab). The logs are filtered using the time period for which the graph is rendered.
If you have set local and global filters, the log query concatenates the time period and
the filters and only displays logs that match the combined filter set.
ExportAllows you to export the graph as a PDF. The PDF is downloaded and
saved on your computer. It is saved in the Downloads folder associated with your
web browser.

226 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Use the Application Command Center

Widget Descriptions
Each tab on the ACC includes a different set of widgets.
Widget

Description

Network ActivityDisplays an overview of traffic and user activity on your network.


Application Usage

The table displays the top ten applications used on your network, all the remaining
applications used on the network are aggregated and displayed as other. The graph
displays all applications by application category, sub category, and application. Use this
widget to scan for applications being used on the network, it informs you about the
predominant applications using bandwidth, session count, file transfers, triggering the
most threats, and accessing URLs.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: treemap, area, column, line (the charts vary by the sort by attribute
selected)

User Activity

Displays the top ten most active users on the network who have generated the largest
volume of traffic and consumed network resources to obtain content. Use this widget
to monitor top users on usage sorted on bytes, sessions, threats, content (files and
patterns), and URLs visited.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: area, column, line (the charts vary by the sort by attribute selected)

Source IP Activity

Displays the top ten IP addresses or hostnames of the devices that have initiated
activity on the network. All other devices are aggregated and displayed as other.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: area, column, line (the charts vary by the sort by attribute selected)

Destination IP Activity

Displays the IP addresses or hostnames of the top ten destinations that were accessed
by users on the network.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: area, column, line (the charts vary by the sort by attribute selected)

Source Regions

Displays the top ten regions (built-in or custom defined regions) around the world
from where users initiated activity on your network.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: map, bar

Destination Regions

Displays the top ten destination regions (built-in or custom defined regions) on the
world map from where content is being accessed by users on the network.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: map, bar

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 227

Use the Application Command Center

Monitoring

Widget

Description

GlobalProtect Host
Information

Displays information on the state of the hosts on which the GlobalProtect agent is
running; the host system is a GlobalProtect client. This information is sourced from
entries in the HIP match log that are generated when the data submitted by the
GlobalProtect agent matches a HIP object or a HIP profile you have defined on the
firewall. If you do not have HIP Match logs, this widget is blank. To learn how to
create HIP objects and HIP profiles and use them as policy match criteria, see
Configure HIP-Based Policy Enforcement.
Sort attributes: profiles, objects, operating systems
Charts available: bar

Rule Usage

Displays the top ten rules that have allowed the most traffic on the network. Use this
widget to view the most commonly used rules, monitor the usage patterns, and to
assess whether the rules are effective in securing your network.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: line

Ingress Interfaces

Displays the firewall interfaces that are most used for allowing traffic into the network.
Sort attributes: bytes, bytes sent, bytes received
Charts available: line

Egress Interfaces

Displays the firewall interfaces that are most used by traffic exiting the network.
Sort attributes: bytes, bytes sent, bytes received
Charts available: line

Source Zones

Displays the zones that are most used for allowing traffic into the network.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: line

Destination Zones

Displays the zones that are most used by traffic going outside the network.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: line

Threat ActivityDisplays an overview of the threats on the network


Compromised Hosts

Displays the hosts that are likely compromised on your network. This widget
summarizes the events from the correlation logs. For each source user/IP address, it
includes the correlation object that triggered the match and the match count, which is
aggregated from the match evidence collated in the correlated events logs.For details
see Use the Automated Correlation Engine.
Available on the PA-3000 Series, PA-5000 Series, PA-7000 Series, and Panorama.
Sort attributes: severity (by default)

Hosts Visiting Malicious


URLs

Displays the frequency with which hosts (IP address/hostnames) on your network
have accessed malicious URLs. These URLs are known to be malware based on
categorization in PAN-DB.
Sort attributes: count
Charts available: line

228 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Widget

Use the Application Command Center

Description

Hosts Resolving Malicious Displays the top hosts matching DNS signatures; hosts on the network that are
Domains
attempting to resolve the hostname or domain of a malicious URL. This information

is gathered from an analysis of the DNS activity on your network. It utilizes passive
DNS monitoring, DNS traffic generated on the network, activity seen in the sandbox
if you have configured DNS sinkhole on the firewall, and DNS reports on malicious
DNS sources that are available to Palo Alto Networks customers.
Sort attributes: count
Charts available: line
Threat Activity

Displays the threats seen on your network. This information is based on signature
matches in Antivirus, Anti-Spyware, and Vulnerability Protection profiles and viruses
reported by WildFire.
Sort attributes: threats
Charts available: bar, area, column

WildFire Activity by
Application

Displays the applications that generated the most WildFire submissions. This widget
uses the malicious and benign verdict from the WildFire Submissions log.
Sort attributes: malicious, benign
Charts available: bar, line

WildFire Activity by File


Type

Displays the threat vector by file type. This widget displays the file types that generated
the most WildFire submissions and uses the malicious and benign verdict from the
WildFire Submissions log. If this data is unavailable, the widget is empty.
Sort attributes: malicious, benign
Charts available: bar, line

Applications using Non


Standard Ports

Displays the applications that are entering your network on non-standard ports. If you
have migrated your firewall rules from a port-based firewall, use this information to
craft policy rules that allow traffic only on the default port for the application. Where
needed, make an exception to allow traffic on a non-standard port or create a custom
application.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: treemap, line

Rules Allowing
Applications On Non
Standard Ports

Displays the security policy rules that allow applications on non-default ports. The
graph displays all the rules, while the table displays the top ten rules and aggregates the
data from the remaining rules as other.
This information helps you identify gaps in network security by allowing you to assess
whether an application is hopping ports or sneaking into your network. For example,
you can validate whether you have a rule that allows traffic on any port except the
default port for the application. Say for example, you have a rule that allow DNS traffic
on its application-default port (port 53 is the standard port for DNS). This widget will
display any rule that allows DNS traffic into your network on any port except port 53.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: treemap, line

Blocked ActivityFocuses on traffic that was prevented from coming into the network

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 229

Use the Application Command Center

Monitoring

Widget

Description

Blocked Application
Activity

Displays the applications that were denied on your network, and allows you to view the
threats, content, and URLs that you kept out of your network.
Sort attributes: threats, content, URLs
Charts available: treemap, area, column

Blocked User Activity

Displays user requests that were blocked by a match on an antivirus, anti-spyware, file
blocking or url filtering profile attached to security policy.
Sort attributes: threats, content, URLs
Charts available: bar, area, column

Blocked Threats

Displays the threats that were successfully denied on your network. These threats were
matched on antivirus signatures, vulnerability signatures, and DNS signatures available
through the dynamic content updates on the firewall.
Sort attributes: threats
Charts available: bar, area, column

Blocked Content

Displays the files and data that was blocked from entering the network. The content
was blocked because security policy denied access based on criteria defined in a File
Blocking security profile or a Data Filtering security profile.
Sort attributes: files, data
Charts available: bar, area, column

Security Policies Blocking Displays the security policy rules that blocked or restricted traffic into your network.
Activity
Because this widget displays the threats, content, and URLs that were denied access

into your network, you can use it to assess the effectiveness of your policy rules. This
widget does not display traffic that blocked because of deny rules that you have defined
in policy.
Sort attributes: threats, content, URLs
Charts available: bar, area, column

230 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Use the Application Command Center

ACC Filters
The graphs and tables on the ACC widgets allow you to use filters to narrow the scope of data that is displayed,
so that you can isolate specific attributes and analyze information you want to view in greater detail. The ACC
supports the simultaneous use of widget and global filters.

Widget FiltersApply a widget filter, which is a filter that is local to a specific widget. A widget filter allows
you to interact with the graph and customize the display so that you can drill down in to the details and access
the information you want to monitor on a specific widget. To create a widget filter that is persistent across
reboots, you must use the Set Local Filter option.

Global filtersApply global filters across all the tabs in the ACC. A global filter allows you to pivot the
display around the details you care about right now and exclude the unrelated information from the current
display. For example, to view all events relating to a specific user and application, you can apply the username
and the application as a global filter and view only information pertaining to the user and the application
through all the tabs and widgets on the ACC. Global filters are not persistent.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 231

Use the Application Command Center

Monitoring

You can apply global filters in three ways:

Set a global filter from a tableSelect an attribute from a table in any widget and apply the attribute
as a global filter.

Promote a widget filter to be a global filterPromote a value in a table or a graph to a global filter
by using the dropdown menu next to the value. This option allows you to elevate a local filter used in
a widget, and apply the attribute globally to update the display across all the tabs on the ACC.

Define a global filterDefine a filter using the Global Filters pane on the ACC.

See Interact with the ACC for details on using these filters.

232 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Use the Application Command Center

Interact with the ACC


To customize and refine the ACC display, you can add and delete tabs, add and delete widgets, set local and
global filters, and interact with the widgets.
Work with the Tabs and Widgets

Add a tab.

1.
2.

Select the
icon along the list of tabs.
Add a View Name. This name will be used as the name for the
tab. You can add up to five tabs.

Edit a tab.

Select the tab, and click the pencil icon next to the tab name, to edit
the tab. For example
.
Editing a tab allow you to add or delete or reset the widgets that are
displayed in the tab. You can also change the widget layout in the tab.

See what widgets are included in a tab.

1.
2.

Select the tab, and click on the pencil icon to edit it.
Select the Add Widgets drop-down and verify the widgets that
have the check boxes selected.

Add a widget or a widget group.

1.
2.

3.

Add a new tab or edit a predefined tab.


Select Add Widget, and then select the check box that
corresponds to the widget you want to add. You can select up
to a maximum of 12 widgets.
(Optional) To create a 2-column layout, select Add Widget
Group. You can drag and drop widgets into the 2-column
display. As you drag the widget into the layout, a placeholder
will display for you to drop the widget.
You cannot name a widget group.

1.

To delete a custom tab, select the tab and click the X icon.

Delete a tab or a widget group/ widget.

You cannot delete a predefined tab.


2.

Reset the default widgets in a tab.

To delete a widget group/widget, edit the tab and in the


workspace section, click the [X] icon on the right. You cannot
undo a deletion.

On a predefined tab, such as the Blocked Activity tab, you can delete
one or more widgets. If you want to reset the layout to include the
default set of widgets for the tab, edit the tab and click Reset View.

Zoom in on the details in an area, column, or line Click and drag an area in the graph to zoom in. For example, when
graph.
you zoom into a line graph, it triggers a re-query and the firewall
fetches the data for the selected time period. It is not a mere
Watch how the zoom-in capability works.
magnification.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 233

Use the Application Command Center

Monitoring

Work with the Tabs and Widgets (Continued)

Use the table drop-down to find more


information on an attribute.

1.
2.

Hover over an attribute in a table to see the drop-down.


Click into the drop-down to view the available options.
Global FindGlobal Find allows you to find references to
the attribute (username/IP address, object name, policy rule
name, threat ID, or application name) anywhere in the
candidate configuration on the firewall.
Promote FilterSets the attribute as a global filter. This
allows you to filter all the views in the ACC based on the
filters you have applied.
ValueDisplays the details of the threat ID, or application
name, or address object.
Who IsPerforms a domain name (WHOIS) lookup for the
IP address. The lookup queries databases that store the
registered users or assignees of an Internet resource.
Search HIP ReportUses the username or IP address to
find matches in a HIP Match report.

Set a widget filter.

1.
You can also click an attribute in the table 2.
(below the graph) to apply it as a widget 3.
filter.

Select a widget and click the


icon.
Click the
icon to add the filters you want to apply.
Click Apply. These filters are persistent across reboots.
The active widget filters are indicated next to the widget
name.

Negate a widget filter

1.
2.

Click the
icon to display the Setup Local Filters dialog.
Add a filter, and then click the
negate icon.

Set a global filter from a table.

1.

Hover over an attribute in the table below the chart, and click
the drop-down.
Click Promote Filter to add the attribute as a global filter.

2.

Set a global filter using the Global Filters pane. 1.

Locate the Global Filters pane on the left side of the ACC.

Watch global filters in action.


2.

234 PAN-OS 7.0 Administrators Guide

Click the

icon to view the list of filters you can apply.

Palo Alto Networks

Monitoring

Use the Application Command Center

Work with the Tabs and Widgets (Continued)

Promote a widget filter to a global filter.

1.
2.

Remove a filter.

On any table in a widget, click the link for an attribute. This sets
the attribute as a widget filter.
To promote the filter to be a global filter, select the arrow to the
right of the filter.

Click the
icon to remove a filter.
For global filters: It is located in the Global Filters pane.
For widget filters: Click the
icon to display the Setup Local
Filters dialog, then select the filter, and click the
icon.

Clear all filters.

For global filters: Click the Clear All button under Global Filters.
For widget filters: Select a widget and click the
icon. Then click
the Clear All button in the Setup Local Filters dialog.

See what filters are in use.

For global filters: The number of global filters applied are


displayed on the left pane under Global Filters.
For widget filters: The number of widget filters applied on a
widget are displayed next to the widget name. To view the filters,
click the
icon.

Reset the display on a widget.

Palo Alto Networks

If you set a widget filter or drill into a graph, click the Home link
to reset the display in the widget.

PAN-OS 7.0 Administrators Guide 235

Use the Application Command Center

Monitoring

Use Case: ACCPath of Information Discovery


The ACC has a wealth of information that you can use as a starting point for analyzing network traffic. Lets
look at an example on using the ACC to uncover events of interest. This example illustrates how you can use
the ACC to ensure that legitimate users can be held accountable for their actions, detect and track unauthorized
activity, and detect and diagnose compromised hosts and vulnerable systems on your network.
The widgets and filters in the ACC give you the capability to analyze the data and filter the views based on events
of interest or concern. You can trace events that pique your interest, directly export a PDF of a tab, access the
raw logs, and save a personalized view of the activity that you want to track. These capabilities make it possible
for you to monitor activity and develop policies and countermeasures for fortifying your network against
malicious activity. In this section, you will Interact with the ACC widgets across different tabs, drill down using
widget filters, and pivot the ACC views using global filters, and export a PDF for sharing with incidence
response or IT teams.
At first glance, you see the Application Usage and User Activity widgets in the ACC > Network Activity tab. The
User Activity widget shows that user Marsha Wirth has transferred 718 Megabytes of data during the last hour.
This volume is nearly six times more than any other user on the network. To see the trend over the past few
hours, expand the Time period to the Last 6 Hrs, and now Marshas activity has been 6.5 Gigabytes over 891
sessions and has triggered 38 threats signatures.

Because Marsha has transferred a large volume of data, apply her username as a global filter (ACC Filters) and
pivot all the views in the ACC to Marshas traffic activity.

236 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Use the Application Command Center

The Application Usage tab now shows that the top application that Martha used was rapidshare, a Swiss-owned
file-hosting site that belongs to the file-sharing URL category. For further investigation, add rapidshare as a
global filter, and view Marshas activity in the context of rapidshare.
Consider whether you want to sanction rapidshare for company use. Should you allow uploads
to this site and do you need a QoS policy to limit bandwidth?

To view which IP addresses Marsha has communicated with, check the Destination IP Activity widget, and view
the data by bytes and by URLs.

To know which countries Marsha communicated with, sort on sessions in the Destination Regions widget.

From this data, you can confirm that Marsha, a user on your network, has established sessions in Korea and the
European Union, and she logged 19 threats in her sessions within the United States.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 237

Use the Application Command Center

Monitoring

To look at Marshas activity from a threat perspective, remove the global filter for rapidshare.
In the Threat Activity widget on the Threat Activity tab, view the threats. The widget displays
that her activity had triggered a match for 26 vulnerabilities in the overflow, DoS and
code-execution threat category. Several of these vulnerabilities are of critical severity.

To further drill-down into each vulnerability, click into the graph and narrow the scope of your investigation.
Each click automatically applies a local filter on the widget.

238 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Use the Application Command Center

To investigate each threat by name, you can create a global filter for say, Microsoft Works File Converter Field
Length Remote Code Execution Vulnerability. Then, view the User Activity widget in the Network Activity tab. The
tab is automatically filtered to display threat activity for Marsha (notice the global filters in the screenshot).

Notice that this Microsoft code-execution vulnerability was triggered over email, by the imap application. You
can now establish that Martha has IE vulnerabilities and email attachment vulnerabilities, and perhaps her
computer needs to be patched. You can now either navigate to the Blocked Threats widget in the Blocked Activity
tab to check how many of these vulnerabilities were blocked.
Or, you can check the Rule Usage widget on the Network Activity tab to discover how many vulnerabilities made
it into your network and which security rule allowed this traffic, and navigate directly to the security rule using
the Global Find capability.

Then, drill into why imap used a non-standard port 43206 instead of port 143, which is the default port for the
application. Consider modifying the security policy rule to allow applications to only use the default port for the
application, or assess whether this port should be an exception on your network.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 239

Use the Application Command Center

Monitoring

To review if any threats were logged over imap, check Marshas activity in the WildFire
Activity by Application widget in the Threat Activity tab. You can confirm that Marsha had
no malicious activity, but to verify that other no other user was compromised by the imap
application, negate Marsha as a global filter and look for other users who triggered threats
over imap.

Click into the bar for imap in the graph and drill into the inbound threats associated with the application. To
find out who an IP address is registered to, hover over the attacker IP address and select the Who Is link in the
drop-down.

Because the session count from this IP address is high, check the Blocked Content and Blocked Threats widgets
in the Blocked Activity tab for events related to this IP address. The Blocked Activity tab allows you to validate
whether or not your policy rules are effective in blocking content or threats when a host on your network is
compromised.

240 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Use the Application Command Center

Use the Export PDF capability on the ACC to export the current view (create a snapshot of the data) and send it
to an incidence response team. To view the threat logs directly from the widget, you can also click the
icon
to jump to the logs; the query is generated automatically and only the relevant logs are displayed onscreen (for
example in Monitor > Logs > Threat Logs).

You have now used the ACC to review network data/trends to find which applications or users are generating
the most traffic, and how many application are responsible for the threats seen on the network. You were able
to identify which application(s), user(s) generated the traffic, determine whether the application was on the
default port, and which policy rule(s) allowed the traffic into the network, and determine whether the threat is
spreading laterally on the network. You also identified the destination IP addresses, geo-locations with which
hosts on the network are communicating with. Use the conclusions from your investigation to craft
goal-oriented policies that can secure users and your network.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 241

App Scope

Monitoring

App Scope
The App Scope reports provide visibility and analysis tools to help pinpoint problematic behavior, helping you
understand changes in application usage and user activity, users and applications that take up most of the
network bandwidth, and identify network threats.
With the App Scope reports, you can quickly see if any behavior is unusual or unexpected. Each report provides
a dynamic, user-customizable window into the network; hovering the mouse over and clicking either the lines
or bars on the charts opens detailed information about the specific application, application category, user, or
source on the ACC. The App Scope charts on Monitor > App Scope give you the ability to:

Toggle the attributes in the legend to only view chart details that you want to review. The ability to include
or exclude data from the chart allows you to change the scale and review details more closely.

Click into an attribute in a bar chart and drill down to the related sessions in the ACC. Click into an
Application name, Application Category, Threat Name, Threat Category, Source IP address or Destination
IP address on any bar chart to filter on the attribute and view the related sessions in the ACC.

Export a chart or map to PDF or as an image. For portability and offline viewing, you can Export charts
and maps as PDFs or PNG images.

The following App Scope reports are available:

Summary Report

Change Monitor Report

Threat Monitor Report

Threat Map Report

Network Monitor Report

Traffic Map Report

242 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

App Scope

Summary Report
The App Scope Summary report (Monitor > App Scope > Summary) displays charts for the top five gainers, losers,
and bandwidth consuming applications, application categories, users, and sources.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 243

App Scope

Monitoring

Change Monitor Report


The App Scope Change Monitor report (Monitor > App Scope > Change Monitor) displays changes over a specified
time period. For example, the following chart displays the top applications that gained in use over the last hour
as compared with the last 24-hour period. The top applications are determined by session count and sorted by
percent.

The Change Monitor Report contains the following buttons and options.
Button

Description

Determines the number of records with the highest measurement


included in the chart.
Determines the type of item reported: Application, Application
Category, Source, or Destination.
Displays measurements of items that have increased over the measured
period.
Displays measurements of items that have decreased over the measured
period.
Displays measurements of items that were added over the measured
period.
Displays measurements of items that were discontinued over the
measured period.

244 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Button

App Scope

Description

Applies a filter to display only the selected item. None displays all
entries.
Determines whether to display session or byte information.

Determines whether to sort entries by percentage or raw growth.

Exports the graph as a .png image or as a PDF.


Specifies the period over which the change measurements are taken.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 245

App Scope

Monitoring

Threat Monitor Report


The App Scope Threat Monitor report (Monitor > App Scope > Threat Monitor) displays a count of the top threats
over the selected time period. For example, the following figure shows the top 10 threat types over the last 6
hours.

Each threat type is color-coded as indicated in the legend below the chart. The Threat Monitor report contains
the following buttons and options.
Button

Description

Determines the number of records with the highest measurement


included in the chart.
Determines the type of item measured: Threat, Threat Category,
Source, or Destination.
Applies a filter to display only the selected type of items.
Determines whether the information is presented in a stacked column
chart or a stacked area chart.
Exports the graph as a .png image or as a PDF.
Specifies the period over which the measurements are taken.

246 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

App Scope

Threat Map Report


The App Scope Threat Map report (Monitor > App Scope > Threat Map) shows a geographical view of threats,
including severity. Each threat type is color-coded as indicated in the legend below the chart.
The firewall uses geolocation for creating threat maps. The firewall is placed at the bottom of the threat map
screen, if you have not specified the geolocation coordinates (Device > Setup > Management, General Settings
section) on the firewall.

The Threat Map report contains the following buttons and options.
Button

Description

Determines the number of records with the highest measurement


included in the chart.
Displays incoming threats.
Displays outgoing threats.

Applies a filter to display only the selected type of items.

Zoom in and zoom out of the map.


Exports the graph as a .png image or as a PDF.
Indicates the period over which the measurements are taken.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 247

App Scope

Monitoring

Network Monitor Report


The App Scope Network Monitor report (Monitor > App Scope > Network Monitor) displays the bandwidth
dedicated to different network functions over the specified period of time. Each network function is
color-coded as indicated in the legend below the chart. For example, the image below shows application
bandwidth for the past 7 days based on session information.

The Network Monitor report contains the following buttons and options.
Button

Description

Determines the number of records with the highest measurement


included in the chart.
Determines the type of item reported: Application, Application
Category, Source, or Destination.
Applies a filter to display only the selected item. None displays all
entries.
Determines whether to display session or byte information.

Exports the graph as a .png image or as a PDF.


Determines whether the information is presented in a stacked column
chart or a stacked area chart.
Indicates the period over which the change measurements are taken.

248 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

App Scope

Traffic Map Report


The App Scope Traffic Map (Monitor > App Scope > Traffic Map) report shows a geographical view of traffic flows
according to sessions or flows.
The firewall uses geolocation for creating traffic maps. The firewall is placed at the bottom of the traffic map
screen, if you have not specified the geolocation coordinates (Device > Setup > Management, General Settings
section) on the firewall.

Each traffic type is color-coded as indicated in the legend below the chart. The Traffic Map report contains the
following buttons and options.
Buttons

Description

Determines the number of records with the highest measurement


included in the chart.
Displays incoming threats.

Displays outgoing threats.

Determines whether to display session or byte information.

Zoom in and zoom out of the map.


Exports the graph as a .png image or as a PDF.
Indicates the period over which the change measurements are taken.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 249

Use the Automated Correlation Engine

Monitoring

Use the Automated Correlation Engine


The automated correlation engine is an analytics tool that uses the logs on the firewall to detect actionable events
on your network. The engine correlates a series of related threat events that, when combined, indicate a likely
compromised host on your network or some other higher level conclusion. It pinpoints areas of risk, such as
compromised hosts on the network, allows you to assess the risk and take action to prevent exploitation of
network resources. The automated correlation engine uses correlation objects to analyze the logs for patterns and
when a match occurs, it generates a correlated event.
The automated correlation engine is supported on the following platforms:
PanoramaM-Series appliance and the virtual appliance
PA-7000 Series firewall
PA-5000 Series firewall
PA-3000 Series firewall

Automated Correlation Engine Concepts

View the Correlated Objects

Interpret Correlated Events

Use the Compromised Hosts Widget in the ACC

250 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Use the Automated Correlation Engine

Automated Correlation Engine Concepts


The automated correlation engine uses correlation objects to analyze the logs for patterns and when a match occurs,
it generates a correlated event.

Correlation Object

Correlated Events

Correlation Object
A correlation object is a definition file that specifies patterns to match against, the data sources to use for the
lookups, and time period within which to look for these patterns. A pattern is a boolean structure of conditions
that queries the following data sources (or logs) on the firewall: application statistics, traffic, traffic summary,
threat summary, threat, data filtering, and URL filtering. Each pattern has a severity rating, and a threshold for
the number of times the pattern match must occur within a defined time limit to indicate malicious activity.
When the match conditions are met, a correlated event is logged.
A correlation object can connect isolated network events and look for patterns that indicate a more significant
event. These objects identify suspicious traffic patterns and network anomalies, including suspicious IP activity,
known command-and-control activity, known vulnerability exploits, or botnet activity that, when correlated,
indicate with a high probability that a host on the network has been compromised. Correlation objects are
defined and developed by the Palo Alto Networks Threat Research team, and are delivered with the weekly
dynamic updates to the firewall and Panorama. To obtain new correlation objects, the firewall must have a
Threat Prevention license. Panorama requires a support license to get the updates.
The patterns defined in a correlation object can be static or dynamic. Correlated objects that include patterns
observed in WildFire are dynamic, and can correlate malware patterns detected by WildFire with
command-and-control activity initiated by a host that was targeted with the malware on your network. For
example, when a host submits a file to the WildFire cloud and the verdict is malicious, the correlation object
looks for other hosts or clients on the network that exhibit the same behavior seen in the cloud. If the malware
sample had performed a DNS query and browsed to a malware domain, the correlation object will parse the
logs for a similar event. When the activity on a host matches the analysis in the cloud, a high severity correlated
event is logged.

Correlated Events
A correlated event is logged when the patterns and thresholds defined in a correlation object match the traffic
patterns on your network. To Interpret Correlated Events and to view a graphical display of the events, see Use
the Compromised Hosts Widget in the ACC.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 251

Use the Automated Correlation Engine

Monitoring

View the Correlated Objects


View the Correlation Objects Available on the Firewall

Step 1

To view the correlation objects that are currently available, select Monitor > Automated Correlation Engine >
Correlation Objects. All the objects in the list are enabled by default.

Step 2

View the details on each correlation object. Each object provides the following information:
Name and TitleThe name and title indicate the type of activity that the correlation object detects. The
name column is hidden from view, by default. To view the definition of the object, unhide the column and
click the name link.
IDA unique number that identifies the correlation object; this column is also hidden by default. The IDs
are in the 6000 series.
CategoryA classification of the kind of threat or harm posed to the network, user, or host. For now, all
the objects identify compromised hosts on the network.
StateIndicates whether the correlation object is enabled (active) or disabled (inactive). All the objects in
the list are enabled by default, and are hence active. Because these objects are based on threat intelligence
data and are defined by the Palo Alto Networks Threat Research team, keep the objects active in order to
track and detect malicious activity on your network.
DescriptionSpecifies the match conditions for which the firewall or Panorama will analyze logs. It
describes the sequence of conditions that are matched on to identify acceleration or escalation of malicious
activity or suspicious host behavior. For example, the Compromise Lifecycle object detects a host involved
in a complete attack lifecycle in a three-step escalation that starts with scanning or probing activity,
progressing to exploitation, and concluding with network contact to a known malicious domain.

For more information, see Automated Correlation Engine Concepts and Use the Automated Correlation
Engine.

252 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Use the Automated Correlation Engine

Interpret Correlated Events


You can view and analyze the logs generated for each correlated event in the Monitor > Automated Correlation
Engine > Correlated Events tab.

Correlated Events includes the following details:


Field

Description

Match Time

The time the correlation object triggered a match.

Update Time

The time when the event was last updated with evidence on the match. As the firewall
collects evidence on pattern or sequence of events defined in a correlation object, the
time stamp on the correlated event log is updated.

Object Name

The name of the correlation object that triggered the match.

Source Address

The IP address of the user/device on your network from whom.which the traffic
originated.

Source User

The user and user group information from the directory server, if User-ID is enabled.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 253

Use the Automated Correlation Engine

Field

Monitoring

Description

A rating that indicates the urgency and impact of the match. The severity level
indicates the extent of damage or escalation pattern, and the frequency of occurrence.
To
configure Because correlation objects are primarily for detecting threats, the correlated events
the firewall typically relate to identifying compromised hosts on the network and the severity
implies the following:
or Panorama to
send alerts using CriticalConfirms that a host has been compromised based on correlated events
email, SNMP or
that indicate an escalation pattern. For example, a critical event is logged when a
syslog messages
host that received a file with a malicious verdict by WildFire exhibits the same
for a desired
command-and-control activity that was observed in the WildFire sandbox for that
severity level, see
malicious file.
Use External
HighIndicates that a host is very likely compromised based on a correlation
Services for
between multiple threat events, such as malware detected anywhere on the network
Monitoring.
that matches the command-and-control activity generated by a particular host.

Severity

MediumIndicates that a host is likely compromised based on the detection of


one or multiple suspicious events, such as repeated visits to known malicious URLs,
which suggests a scripted command-and-control activity.
LowIndicates that a host is possibly compromised based on the detection of one
or multiple suspicious events, such as a visit to a malicious URL or a dynamic DNS
domain.
InformationalDetects an event that may be useful in aggregate for identifying
suspicious activity, but the event is not necessarily significant on its own.
Summary

A description that summarizes the evidence gathered on the correlated event.

254 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Click the

Use the Automated Correlation Engine

icon to see the detailed log view, which includes all the evidence on a match:

Tab

Description

Match
Information

Object Details: Presents information on the Correlation Object that triggered the match.

Match
Evidence

Presents all the evidence that corroborates the correlated event. It lists detailed information on the
evidence collected for each session.

Match Details: A summary of the match details that includes the match time, last update time on the
match evidence, severity of the event, and an event summary.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 255

Use the Automated Correlation Engine

Monitoring

Use the Compromised Hosts Widget in the ACC


The compromised hosts widget on ACC >Threat Activity, aggregates the Correlated Events and sorts them by
severity. It displays the source IP address/user who triggered the event, the correlation object that was matched
and the number of times the object was matched. Use the match count link to jump to the match evidence
details.

For more details, see Use the Automated Correlation Engine and Use the Application Command Center.

256 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Take Packet Captures

Take Packet Captures


All Palo Alto Networks firewalls allow you to take packet captures (pcaps) of traffic that traverses the
management interface and network interfaces on the firewall. When taking packet captures on the dataplane,
you may need to Disable Hardware Offload to ensure that the firewall captures all traffic.
Packet capture can be very CPU intensive and can degrade firewall performance. Only use this feature when necessary
and make sure you turn it off after you have collected the required packets.

There are four different types of packet captures you can enable, depending on what you need to do:

Custom Packet CaptureThe firewall captures packets for all traffic or for specific traffic based on filters
that you define. For example, you can configure the firewall to only capture packets to and from a specific
source and destination IP address or port. You then use the packet captures for troubleshooting
network-related issues or for gathering application attributes to enable you to write custom application
signatures or to request an application signature from Palo Alto Networks. See Take a Custom Packet
Capture.

Threat Packet CaptureThe firewall captures packets when it detects a virus, spyware, or vulnerability.
You enable this feature in Antivirus, Anti-Spyware, and Vulnerability Protection security profiles. A link to
view or export the packet captures will appear in the second column of the Threat log. These packet captures
provide context around a threat to help you determine if an attack is successful or to learn more about the
methods used by an attacker. You can also submit this type of pcap to Palo Alto Networks to have a threat
re-analyzed if you feel its a false-positive or false-negative. See Take a Threat Packet Capture.

Application Packet CaptureThe firewall captures packets based on a specific application and filters that
you define. A link to view or export the packet captures will appear in the second column of the Traffic logs
for traffic that matches the packet capture rule. See Take an Application Packet Capture.

Management Interface Packet CaptureThe firewall captures packets on the management interface
(MGT) The packet captures are useful when troubleshooting services that traverse the interface, such as
device management authentication to external servers (LDAP and RADIUS for example), software and
content updates, log forwarding, communication with SNMP servers, and authentication requests for
GlobalProtect and Captive Portal. See Take a Packet Capture on the Management Interface.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 257

Take Packet Captures

Monitoring

Disable Hardware Offload


Packet captures on a Palo Alto Networks firewall are performed in the dataplane CPU, unless you configure the
firewall to Take a Packet Capture on the Management Interface, in which case the packet capture is performed
on the management plane. When a packet capture is performed on the dataplane, during the ingress stage, the
firewall performs packet parsing checks and discards any packets that do not match the packet capture filter.
Any traffic that is offloaded to the field-programmable gate array (FPGA) offload processor is also excluded,
unless you turn off hardware offload. For example, encrypted traffic (SSL/SSH), network protocols (OSPF,
BGP, RIP), application overrides, and terminating applications can be offloaded to the FPGA and therefore are
excluded from packet captures by default. Some types of sessions will never be offloaded, such as ARP, all
non-IP traffic, IPSec, VPN sessions, SYN, FIN, and RST packets.
Hardware offload is supported on the following firewalls: PA-2000 Series, PA-3050, PA-4000 Series, PA-5000 Series,
and PA-7000 Series firewall.

Disabling hardware offload increases the dataplane CPU usage. If dataplane CPU usage is already high, you may want
to schedule a maintenance window before disabling hardware offload.

Enable/Disable Hardware Offload

Step 1

Disable hardware offload by running the following CLI command:


admin@PA-7050> set session offload no

Step 2

After the firewall captures the required traffic, enable hardware offload by running the following CLI command:
admin@PA-7050> set session offload yes

Take a Custom Packet Capture


Custom packet captures allow you to define the traffic that the firewall will capture. To ensure that you capture
all traffic, you may need to Disable Hardware Offload.

258 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Take Packet Captures

Take a Custom Packet Capture

Step 1

Before you start a packet capture, identify the attributes of the traffic that you want to capture.
For example, to determine the source IP address, source NAT IP address, and the destination IP address for
traffic between two systems, perform a ping from the source system to the to the destination system. After the
ping is complete, go to Monitor > Traffic and locate the traffic log for the two systems. Click the Detailed Log
View icon located in the first column of the log and note the source address, source NAT IP, and the destination
address.

In the example that follows, we will use a packet capture to troubleshoot a Telnet connectivity issue from a user
in the Trust zone to a server in the DMZ zone.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 259

Take Packet Captures

Monitoring

Take a Custom Packet Capture (Continued)

Step 2

Set packet capture filters, so the firewall only captures traffic you are interested in.
Filters will make it easier for you to locate the information you need in the packet capture and will reduce the
processing power required by the firewall to take the packet capture. To capture all traffic, do not define filters
and leave the filter option off.
For example, if you configured NAT on the firewall, you will need to apply two filters. The first one filters on
the pre-NAT source IP address to the destination IP address and the second one filters traffic from the
destination server to the source NAT IP address.
1. Select Monitor > Packet Capture.
2. Click Clear All Settings at the bottom of the window to clear any existing capture settings.
3. Click Manage Filters and click Add.
4. Select Id 1 and in the Source field enter the source IP address you are interested in and in the Destination
field enter a destination IP address.
For example, enter the source IP address 192.168.2.10 and the destination IP address 10.43.14.55. To
further filter the capture, set Non-IP to exclude non-IP traffic, such as broadcast traffic.
5. Add the second filter and select Id 2.
For example, in the Source field enter 10.43.14.55 and in the Destination field enter 10.43.14.25.
In the Non-IP drop-down menu select exclude.

6. Click OK.
Step 3

Set Filtering to On.

260 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Take Packet Captures

Take a Custom Packet Capture (Continued)

Step 4

Specify the traffic stage(s) that trigger the packet capture and the filename(s) to use to store the captured
content. For a definition of each stage, click the Help icon on the packet capture page.
For example, to configure all packet capture stages and define a filename for each stage, perform the following
procedure:
1. Add a Stage to the packet capture configuration and define a File name for the resulting packet capture.
For example, select receive as the Stage and set the File name to telnet-test-received.

2. Continue to Add each Stage you want to capture (firewall, transmit, and drop) and set a unique File name
for each stage.

Step 5

Set Packet Capture to ON.


Note the warning that system performance can be degraded and then click OK. If you define filters, the packet
capture should have little impact on performance, but you should always turn Off packet capture after the
firewall captures the data that you want to analyze.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 261

Take Packet Captures

Monitoring

Take a Custom Packet Capture (Continued)

Step 6

Generate traffic that matches the filters that you defined.


For this example, generate traffic from the source system to the Telnet-enabled server by running the following
command from the source system (192.168.2.10):
telnet 10.43.14.55

Step 7

Turn packet capture OFF and then click the refresh icon to see the packet capture files.

Notice that in this case, there were no dropped packets, so the firewall did not create a file for the drop stage.
Step 8

Download the packet captures by clicking the filename in the File Name column.

Step 9

View the packet capture files using a network packet analyzer, such as Wireshark.
In this example, the received.pcap packet capture shows a failed Telnet session from the source system at
192.168.2.10 to the Telnet-enabled server at 10.43.14.55. The source system sent the Telnet request to the server,
but the server did not respond. In this example, the server may not have Telnet enabled, so check the server.

Step 10 Enable the Telnet service on the destination server (10.43.14.55) and turn on packet capture to take a new packet
capture.
Step 11 Generate traffic that will trigger the packet capture.
Run the Telnet session again from the source system to the Telnet-enabled server
telnet 10.43.14.55

262 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Take Packet Captures

Take a Custom Packet Capture (Continued)

Step 12 Download and open the received.pcap file and view it using a network packet analyzer.
The following packet capture now shows a successful Telnet session from the host user at 192.168.2.10 to the
Telnet-enabled server at 10.43.14.55. Note that you also see the NAT address 10.43.14.25. When the server
responds, it does so to the NAT address. You can see the session is successful as indicated by the three-way
handshake between the host and the server and then you see Telnet data.

Take a Threat Packet Capture


To configure the firewall to take a packet capture (pcap) when it detects a threat, enable packet capture on
Antivirus, Anti-Spyware, and Vulnerability Protection security profiles.
Take a Threat Packet Capture

Step 1

Enable the packet capture option in the


security profile.

1.

Some security profiles allow you to define


a single-packet capture, or
extended-capture. If you choose
extended-capture, define the capture
length. This will allow the firewall to
capture more packets to provide additional
context related to the threat.

Select Objects > Security Profiles and enable the packet


capture option for the supported profiles as follows:
AntivirusSelect a custom antivirus profile and in the
Antivirus tab select the Packet Capture check box.
Anti-SpywareSelect a custom Anti-Spyware profile,
click the DNS Signatures tab and in the Packet Capture
drop-down, select single-packet or extended-capture.
Vulnerability ProtectionSelect a custom Vulnerability
Protection profile and in the Rules tab, click Add to add a
new rule, or select an existing rule. Set Packet Capture to
single-packet or extended-capture. Note that if the
profile has signature exceptions defined, click the
Exceptions tab and in the Packet Capture column for a
signature, set single-packet or extended-capture.

The firewall can only capture


packets if the action for a given
threat is set to allow or alert.
2.

(Optional) If you selected extended-capture for any of the


profiles, define the extended packet capture length.
a. Select Device > Setup > Content-ID and edit the
Content-ID Settings.
b. In the Extended Packet Capture Length (packets)
section, specify the number of packets that the firewall will
capture (range is 1-50; default is 5).
c. Click OK.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 263

Take Packet Captures

Monitoring

Take a Threat Packet Capture (Continued)

Step 2

Add the security profile (with packet


capture enabled) to a Security Policy rule.

1.
2.
3.

Select Policies > Security and select a rule.


Select the Actions tab.
In the Profile Settings section, select a profile that has packet
capture enabled.
For example, click the Antivirus drop-down and select a
profile that has packet capture enabled.

Step 3

View/export the packet capture from the Threat logs.


1. Select Monitor > Logs > Threat.
2. In the log entry that you are interested in, click the green packet capture icon
the packet capture directly or Export it to your system.

in the second column. View

Take an Application Packet Capture


The following topics describe two ways that you can configure the firewall to take application packet captures:

Take a Packet Capture for Unknown Applications

Take a Custom Application Packet Capture

Take a Packet Capture for Unknown Applications


Palo Alto Networks firewalls automatically generate a packet capture for sessions that contain an application
that it cannot identify. Typically, the only applications that are classified as unknown traffictcp, udp or
non-syn-tcpare commercially available applications that do not yet have App-ID signatures, are internal or
custom applications on your network, or potential threats. You can use these packet captures to gather more
context related to the unknown application or use the information to analyze the traffic for potential threats.
You can also Manage Custom or Unknown Applications by controlling them through security policy or by

264 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Take Packet Captures

writing a custom application signature and creating a security rule based on the custom signature. If the
application is a commercial application, you can submit the packet capture to Palo Alto Networks to have an
App-ID signature created.
Identify Unknown Applications in Traffic Logs and View Packet Captures

Step 1

Verify that unknown application packet capture is enabled. This option is on by default.
1. To view the unknown application capture setting, run the following CLI command:
admin@PA-200> show running application setting | match Unknown capture

2. If the unknown capture setting option is off, enable it:


admin@PA-200> set application dump-unknown yes

Step 2

Locate unknown application by filtering the traffic logs.


1. Select Monitor > Logs > Traffic.
2. Click Add Filter and select the filters as shown in the following example.

3. Click Add and Apply Filter.


Step 3

Click the packet capture icon

Palo Alto Networks

to view the packet capture or Export it to your local system.

PAN-OS 7.0 Administrators Guide 265

Take Packet Captures

Monitoring

Take a Custom Application Packet Capture


You can configure a Palo Alto Networks firewall to take a packet capture based on an application name and
filters that you define. You can then use the packet capture to troubleshoot issues with controlling an
application. When configuring an application packet capture, you must use the application name defined in the
App-ID database. You can view a list of all App-ID applications using Applipedia or from the web interface on
the firewall in Objects > Applications.
Take a Custom Application Packet Capture

Step 1

Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.

Step 2

Turn on the application packet capture and define filters.


admin@PA-200> set application dump on application <application-name> rule <rule-name>

For example, to capture packets for the facebook-base application that matches the security rule named rule1,
run the following CLI command:
admin@PA-200> set application dump on application facebook-base rule rule1

You can also apply other filters, such as source IP address and destination IP address.

266 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Take Packet Captures

Take a Custom Application Packet Capture (Continued)

Step 3

View the output of the packet capture settings to ensure that the correct filters are applied. The output appears
after enabling the packet capture.
In the following output, you see that application filtering is now on based on the facebook-base application for
traffic that matches rule1.
Application setting:
Application cache
: yes
Supernode
: yes
Heuristics
: yes
Cache Threshold
: 16
Bypass when exceeds queue limit: no
Traceroute appid
: yes
Traceroute TTL threshold
: 30
Use cache for appid
: no
Unknown capture
: on
Max. unknown sessions
: 5000
Current unknown sessions
: 0
Application capture
: on
Max. application sessions
: 5000
Current application sessions : 0
Application filter setting:
Rule
: rule1
From
: any
To
: any
Source
: any
Destination
: any
Protocol
: any
Source Port
: any
Dest. Port
: any
Application
: facebook-base
Current APPID Signature
Signature Usage
: 21 MB (Max. 32 MB)
TCP 1 C2S
: 15503 states
TCP 1 S2C
: 5070
states
TCP 2 C2S
: 2426
states
TCP 2 S2C
: 702
states
UDP 1 C2S
: 11379 states
UDP 1 S2C
: 2967
states
UDP 2 C2S
: 755
states
UDP 2 S2C
: 224
states

Step 4

To turn off application packet capture after the traffic you are interested in has traversed the firewall:
admin@PA-200> set application dump off

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 267

Take Packet Captures

Monitoring

Take a Custom Application Packet Capture (Continued)

Step 5

View/export the packet capture.


1. Log in to the web interface on the firewall and select Monitor > Logs > Traffic.
2. In the log entry that you are interested in, click the green packet capture icon in the second column.

3. View the packet capture directly or Export it to your local system. The following screen capture shows the
facebook-base packet capture.

Take a Packet Capture on the Management Interface


The tcpdump CLI command enables you to capture packets that traverse the management interface (MGT) on
a Palo Alto Networks firewall.
Each platform has a default number of bytes that tcpdump captures. The PA-200, PA-500, and PA-2000 Series
firewalls capture 68 bytes of data from each packet and anything over that is truncated. The PA-3000, PA-4000,
PA-5000 Series, the PA-7000 Series firewalls, and VM-Series firewalls capture 96 bytes of data from each packet. To
define the number of packets that tcpdump will capture, use the snaplen (snap length) option (range 0-65535).
Setting the snaplen to 0 will cause the firewall to use the maximum length required to capture whole packets.

Take a Management Interface Packet Capture

Step 1

Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.

268 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Take Packet Captures

Take a Management Interface Packet Capture (Continued)

Step 2

To start a packet capture on the MGT interface, run the following command:
admin@PA-200> tcpdump filter <filter-option> <IP-address> snaplen length

For example, to capture the traffic that is generated when and administrator authenticates to the firewall using
RADIUS, filter on the destination IP address of the RADIUS server (10.5.104.99 in this example):
admin@PA-200> tcpdump filter dst 10.5.104.99 snaplen 0

You can also filter on src (source IP address), host, net, and you can exclude content. For example, to filter on
a subnet and exclude all SCP, SFTP, and SSH traffic (which uses port 22), run the following command:
admin@PA-200> tcpdump filter net 10.5.104.0/24 and not port 22 snaplen 0

Each time tcpdump takes a packet capture, it stores the content in a file named mgmt.pcap. This file is
overwritten each time you run tcpdump.
Step 3

After the traffic you are interested in has traversed the MGT interface, press Ctrl + C to stop the capture.

Step 4

View the packet capture by running the following command:


admin@PA-200> view-pcap mgmt-pcap mgmt.pcap

The following output shows the packet capture from the MGT port (10.5.104.98) to the RADIUS server
(10.5.104.99):
09:55:29.139394 IP 10.5.104.98.43063 > 10.5.104.99.radius: RADIUS, Access Request (1), id:
0x00 length: 89
09:55:29.144354 arp reply 10.5.104.98 is-at 00:25:90:23:94:98 (oui Unknown)
09:55:29.379290 IP 10.5.104.98.43063 > 10.5.104.99.radius: RADIUS, Access Request (1), id:
0x00 length: 70
09:55:34.379262 arp who-has 10.5.104.99 tell 10.5.104.98

Step 5

(Optional) Export the packet capture from the firewall using SCP (or TFTP). For example, to export the packet
capture using SCP, run the following command:
admin@PA-200> scp export mgmt-pcap from mgmt.pcap to username@host:path

For example, to export the pcap to an SCP enabled server at 10.5.5.20 to a temp folder named temp-SCP, run
the following CLI command:
admin@PA-200> scp export mgmt-pcap from mgmt.pcap to admin@10.5.5.20:c:/temp-SCP

Enter the login name and password for the account on the SCP server and the firewall will copy the packet
capture to the SCP enabled server to c:\temp-SCP.
Step 6

You can now view the packet capture files using a network packet analyzer, such as Wireshark.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 269

Monitor Applications and Threats

Monitoring

Monitor Applications and Threats


All Palo Alto Networks next-generation firewalls come equipped with the App-ID technology, which identifies
the applications traversing your network, irrespective of protocol, encryption, or evasive tactic. You can then
Use the Application Command Center to monitor the applications. The ACC graphically summarizes the data
from a variety of log databases to highlight the applications traversing your network, who is using them, and
their potential security impact. ACC is dynamically updated, using the continuous traffic classification that
App-ID performs; if an application changes ports or behavior, App-ID continues to see the traffic, displaying
the results in ACC. Additional visibility into URL categories, threats, and data provides a complete and
well-rounded picture of network activity. With ACC, you can very quickly learn more about the traffic traversing
the network and then translate that information into a more informed security policy
You can also Use the Dashboard to monitor the network.

270 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Monitor and Manage Logs

Monitor and Manage Logs


All Palo Alto Networks next-generation firewalls can generate log files that provide an audit trail of the activities
and events on the firewall. There are separate logs for separate types of activities and events. For example, the
Threat logs record all traffic that causes the firewall to generate a security alarm, URL Filtering logs record all
traffic that matches a URL Filtering profile attached to a security rule, and Config logs record all changes to the
firewall configuration. The firewall uses log data to generate reports (Monitor > Reports), which display the data
in a tabular or graphical format. See Manage Reporting for details.
The following topics describe how to view logs locally on the firewall. You can also Use External Services for
Monitoring logs.

View the Log Files

Filter Log Data

Configure Log Storage Quotas and Expiration Periods

Log Severity Levels and WildFire Verdicts

Schedule Log Exports to an SCP or FTP Server

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 271

Monitor and Manage Logs

Monitoring

View the Log Files


The firewall maintains logs for WildFire, configurations, system events, alarms, traffic flows, threats, URL
filtering, data filtering, and Host Information Profile (HIP) matches. You can view the current logs at any time.
To locate specific entries, you can apply filters to most of the log fields.
The firewall displays the information in logs so that role-based administration permissions are
respected. When you display logs, only the information that you have permission to see is
included. For information on administrator permissions, see Administrative Roles.

By default all log files are generated and stored locally on the firewall. You can view these log files in the Monitor
> Logs pages:

To display additional details, click the spyglass icon

272 PAN-OS 7.0 Administrators Guide

for an entry.

Palo Alto Networks

Monitoring

Monitor and Manage Logs

The following table includes information on each log type:


Log Description Charts

Description

Traffic

Displays an entry for the start and end of each session. Each entry includes the date and
time, source and destination zones, addresses and ports, application name, security rule
name applied to the flow, rule action (allow, deny, or drop), ingress and egress interface,
number of bytes, and session end reason.
Click
next to an entry to view additional details about the session, such as whether an
ICMP entry aggregates multiple sessions between the same source and destination (the
Count value will be greater than one).
The Type column indicates whether the entry is for the start or end of the session, or
whether the session was denied or dropped. A drop indicates that the security rule that
blocked the traffic specified any application, while a deny indicates the rule identified a
specific application.
If traffic is dropped before the application is identified, such as when a rule drops all traffic
for a specific service, the application is shown as not-applicable.

Threat

Displays an entry when traffic matches a Security Profile (Antivirus, Anti-Spyware,


Vulnerability, URL Filtering, File Blocking, Data Filtering, or DoS Protection) that is
attached to a security rule on the firewall. Each entry includes the date and time, a threat
name or URL, the source and destination zones, addresses, and ports, the application name,
and the alarm action (allow or block) and severity.
Click
next to an entry to view additional details about the threat, such as whether the
entry aggregates multiple threats of the same type between the same source and destination
(the Count value will be greater than one).
The Type column indicates the type of threat, such as virus or spyware. The Name
column is the threat description or URL, and the Category column is the threat category
(such as keylogger) or URL category.
If local packet captures are enabled, click
next to an entry to access the captured
packets. To enable local packet captures, see Take Packet Captures.
For details on threat severity levels, see Log Severity Levels and WildFire Verdicts.

URL Filtering

Displays logs for all traffic that matches a URL Filtering profile attached to a security rule.
For example, if rule blocks access to specific web sites and web site categories or if rule is
configured to generate an alert when a web site is accessed. For information on defining
URL filtering profiles, see URL Filtering.

WildFire Submissions

Displays logs for files that are uploaded and analyzed by the WildFire cloud; log data is sent
back to the device after analysis, along with the analysis results.
For details on WildFire verdicts (benign or malicious), see Log Severity Levels and WildFire
Verdicts.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 273

Monitor and Manage Logs

Monitoring

Log Description Charts

Description

Data Filtering

Displays logs for the security rules that help prevent sensitive information such as credit
card or social security numbers from leaving the area protected by the firewall. See Set Up
Data Filtering for information on defining data filtering profiles.
This log also shows information for file-blocking profiles. For example, if you are blocking
.exe files, the log will show the files that were blocked. If you forward files to WildFire, you
will see the results of that action. In this case, if you are forwarding PE files to WildFire, for
example, the log will show that the file was forwarded and will also show the status on
whether or not it was uploaded to WildFire successfully.

Configuration

Displays an entry for each configuration change. Each entry includes the date and time, the
administrator username, the IP address from where the change was made, the type of client
(XML, Web or CLI), the type of command executed, whether the command succeeded or
failed, the configuration path, and the values before and after the change.

System

Displays an entry for each system event. Each entry includes the date and time, the event
severity, and an event description.
For details on System log severity levels, see Log Severity Levels and WildFire Verdicts.

HIP Match

Displays traffic flows that match a HIP Object or HIP Profile that you have configured.

274 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Monitor and Manage Logs

Filter Log Data


Each log page has a filter area at the top of the page.

Use the filter area as follows:

Click any of the underlined links in the log listing to add that item as a log filter option. For example, if you
click the Host link in the log entry for 10.0.0.252 and Web Browsing, both items are added, and the search will
find entries that match both (AND search).

To define other search criteria, click Add Log Filter. Select the type of search (and/or), the attribute to include
in the search, the matching operator, and the values for the match, if appropriate. Click Add to add the
criterion to the filter area on the log page, and then click Close to close the pop-up window. Click Apply Filter
to display the filtered list.
You can combine filter expressions added on the log page with those that you define in the
Expression pop-up window. Each is added as an entry on the Filter line on the log page. If you
set the in Received Time filter to Last 60 seconds, some of the page links on the log viewer
may not show results because the number of pages may grow or shrink due to the dynamic nature
of the selected time.

To clear filters and redisplay the unfiltered list, click Clear Filter.

To save your selections as a new filter, click Save Filter, enter a name for the filter, and click OK.

To export the current log listing (as shown on the page, including any applied filters) click Save Filter. Select
whether to open the file or save it to disk, and select the check box if you want to always use the same option.
Click OK.

To export the current log listing in CSV Format, select the Export to CSV icon. By default, exporting the log
listing to CSV format generates a CSV report with up to 2,000 rows of logs. To change the limit for rows
displayed in CSV reports, use the Max Rows in CSV Export field on the Log Export and Reporting tab (select
Device > Setup > Management > Logging and Reporting Settings).

To change the automatic refresh interval, select an interval from the drop-down (1 min, 30 seconds, 10 seconds,
or Manual).
To change the number of log entries per page, select the number of rows from the Rows drop-down.
Log entries are retrieved in blocks of 10 pages. Use the paging controls at the bottom of the page to navigate
through the log list. Select the Resolve Hostname check box to begin resolving external IP addresses to domain
names.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 275

Monitor and Manage Logs

Monitoring

Configure Log Storage Quotas and Expiration Periods


The firewall automatically deletes logs that exceed the expiration period. When the firewall reaches the storage
quota for a log type, it automatically deletes older logs of that type to create space even if you dont set an
expiration period.
If you want to manually delete logs, select Device > Log Settings and, in the Manage Logs
section, click the links to clear logs by type.

Configure Log Storage Quotas and Expiration Periods

Step 1

Select Device > Setup > Management and edit the Logging and Reporting Settings.

Step 2

In the Log Storage tab, select the Log Storage check box and enter the Quota (%) for each log type. When you
change a percentage value, the dialog refreshes to display the corresponding absolute value (Quota GB/MB
column).

Step 3

Enter the Max Days (expiration period) for each log type (range is 1-2,000). The fields are blank by default,
which means the logs never expire.
The firewall synchronizes expiration periods across high availability (HA) pairs. Because only the active
HA peer generates logs, the passive peer has no logs to delete unless failover occurs and it starts
generating logs.

Step 4

Click OK and Commit.

276 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Monitor and Manage Logs

Log Severity Levels and WildFire Verdicts


The following table summarizes the Threat severity levels:
Severity

Description

Critical

Serious threats, such as those that affect default installations of widely deployed software, result in root
compromise of servers, and the exploit code is widely available to attackers. The attacker usually does not
need any special authentication credentials or knowledge about the individual victims and the target does
not need to be manipulated into performing any special functions.

High

Threats that have the ability to become critical but have mitigating factors; for example, they may be
difficult to exploit, do not result in elevated privileges, or do not have a large victim pool.

Medium

Minor threats in which impact is minimized, such as DoS attacks that do not compromise the target or
exploits that require an attacker to reside on the same LAN as the victim, affect only non-standard
configurations or obscure applications, or provide very limited access. In addition, WildFire Submissions
log entries with a malware verdict are logged as Medium.

Low

Warning-level threats that have very little impact on an organization's infrastructure. They usually require
local or physical system access and may often result in victim privacy or DoS issues and information
leakage. Data Filtering profile matches are logged as Low.

Informational Suspicious events that do not pose an immediate threat, but that are reported to call attention to deeper

problems that could possibly exist. URL Filtering log entries and WildFire Submissions log entries with
a benign verdict are logged as Informational.

The following table summarizes the System log severity levels. For a partial list of System log messages and their
corresponding severity levels, refer to System Log Events.
Severity

Description

Critical

Hardware failures, including HA failover and link failures.

High

Serious issues, including dropped connections with external devices, such as LDAP and RADIUS servers.

Medium

Mid-level notifications, such as antivirus package upgrades.

Low

Minor severity notifications, such as user password changes.

Informational Log in/log off, administrator name or password change, any configuration change, and all other events

not covered by the other severity levels.

The following table summarizes the Correlation log severity levels:


Severity

Description

Critical

Confirms that a host has been compromised based on correlated events that indicate an escalation
pattern. For example, a critical event is logged when a host that received a file with a malicious verdict by
WildFire, exhibits the same command-and control activity that was observed in the WildFire sandbox for
that malicious file.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 277

Monitor and Manage Logs

Monitoring

Severity

Description

High

Indicates that a host is very likely compromised based on a correlation between multiple threat events,
such as malware detected anywhere on the network that matches the command and control activity being
generated from a particular host.

Medium

Indicates that a host is likely compromised based on the detection of one or multiple suspicious events,
such as repeated visits to known malicious URLs that suggests a scripted command-and-control activity.

Low

Indicates that a host is possibly compromised based on the detection of one or multiple suspicious
events, such as a visit to a malicious URL or a dynamic DNS domain.

Informational Detects an event that may be useful in aggregate for identifying suspicious activity; each event is not

necessarily significant on its own.

The following table summarizes the WildFire verdicts:


Severity

Description

Benign

Indicates that the entry received a WildFire analysis verdict of benign. Files categorized as benign are safe
and do not exhibit malicious behavior.

Grayware

Indicates that the entry received a WildFire analysis verdict of grayware. Files categorized as grayware do
not pose a direct security threat, but might display otherwise obtrusive behavior. Grayware can include,
adware, spyware, and Browser Helper Objects (BHOs).

Malware

Indicates that the entry received a WildFire analysis verdict of malware. Files categorized as malware are
malicious in intent or nature and can pose a security threat. Malware can include viruses, worms, Trojans,
Remote Access Tools (RATs), rootkits, and botnets. For files that are identified as malware, a signature is
generated and distributed by the WildFire cloud to prevent against future exposure.

278 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Monitor and Manage Logs

Schedule Log Exports to an SCP or FTP Server


You can schedule exports of Traffic, Threat, URL Filtering, Data Filtering, HIP Match, and WildFire
Submission logs to a Secure Copy (SCP) server or File Transfer Protocol (FTP) server. Perform this task for
each log type you want to export.
You can use Secure Copy (SCP) commands from the CLI to export the entire log database to an
SCP server and import it to another firewall. Because the log database is too large for an export
or import to be practical on the following platforms, they do not support these options: PA-7000
Series firewalls (all PAN-OS releases), Panorama virtual appliance running Panorama 6.0 or later
releases, and Panorama M-Series appliances (all Panorama releases).

Schedule Log Exports to an SCP or FTP Server

Step 1

Select Device > Scheduled Log Export and click Add.

Step 2

Enter a Name for the scheduled log export and Enable it.

Step 3

Select the Log Type to export.

Step 4

Select the daily Scheduled Export Start Time. The options are in 15-minute increments for a 24-hour clock
(00:00 - 23:59).

Step 5

Select the Protocol to export the logs: SCP (secure) or FTP.

Step 6

Enter the Hostname or IP address of the server.

Step 7

Enter the Port number. By default, FTP uses port 21 and SCP uses port 22.

Step 8

Enter the Path or directory in which to save the exported logs.

Step 9

Enter the Username and, if necessary, the Password (and Confirm Password) to access the server.

Step 10 (FTP only) Select the Enable FTP Passive Mode check box if you want to use FTP passive mode, in which the
firewall initiates a data connection with the FTP server. By default, the firewall uses FTP active mode, in which
the FTP server initiates a data connection with the firewall. Choose the mode based on what your FTP server
supports and on your network requirements.
Step 11 (SCP only) Click Test SCP server connection. The connection is not established until the firewall accepts the
host key for the SCP server.
Step 12 Click OK and Commit.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 279

Manage Reporting

Monitoring

Manage Reporting
The reporting capabilities on the firewall allow you to keep a pulse on your network, validate your policies, and
focus your efforts on maintaining network security for keeping your users safe and productive.

Report Types

View Reports

Configure the Report Expiration Period

Disable Predefined Reports

Generate Custom Reports

Generate Botnet Reports

Manage PDF Summary Reports

Generate User/Group Activity Reports

Manage Report Groups

Schedule Reports for Email Delivery

280 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Manage Reporting

Report Types
The firewall includes predefined reports that you can use as-is, or you can build custom reports that meet your
needs for specific data and actionable tasks, or you can combine predefined and custom reports to compile
information you need. The firewall provides the following types of reports:

Predefined ReportsAllow you to view a quick summary of the traffic on your network. A suite of
predefined reports are available in four categoriesApplications, Traffic, Threat, and URL Filtering. See
View Reports.

User or Group Activity ReportsAllow you to schedule or create an on-demand report on the application
use and URL activity for a specific user or for a user group. The report includes the URL categories and an
estimated browse time calculation for individual users. See Generate User/Group Activity Reports.

Custom ReportsCreate and schedule custom reports that show exactly the information you want to see
by filtering on conditions and columns to include. You can also include query builders for more specific drill
down on report data. See Generate Custom Reports.

PDF Summary ReportsAggregate up to 18 predefined or custom reports/graphs from Threat,


Application, Trend, Traffic, and URL Filtering categories into one PDF document. See Manage PDF
Summary Reports.

Botnet ReportsAllow you to use behavior-based mechanisms to identify potential botnet-infected hosts
in the network. See Generate Botnet Reports.

Report GroupsCombine custom and predefined reports into report groups and compile a single PDF
that is emailed to one or more recipients. See Manage Report Groups.

Reports can be generated on demand, on a recurring schedule, and can be scheduled for email delivery.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 281

Manage Reporting

Monitoring

View Reports
The firewall provides an assortment of over 40 predefined reports that it generates every day. You can view these
reports directly on the firewall. You can also view custom reports and summary reports.
About 200 MB of storage is allocated for saving reports on the firewall. You cant configure this limit but you
can Configure the Report Expiration Period: the firewall will automatically delete reports that exceed the period.
Keep in mind that when the firewall reaches its storage limit, it automatically deletes older reports to create space
even if you dont set an expiration period. Another way to conserve system resources on the firewall is to Disable
Predefined Reports. For long-term retention of reports, you can export the reports (as described below) or
Schedule Reports for Email Delivery.
Unlike other reports, you cant save User/Group Activity reports on the firewall. You must
Generate User/Group Activity Reports on demand or schedule them for email delivery.

View Reports

Step 1

Select Monitor > Reports.


The reports are chunked into sections on the right-hand side of the window: Custom Reports, Application
Reports, Traffic Reports, Threat Reports, URL Filtering Reports, and PDF Summary Reports.

Step 2

Select a report to view. When you select a report, the previous days report is displayed onscreen.
To view reports for any of the previous days, select an available date from the calendar at the bottom of the page
and select a report within the same section. If you change sections, the time selection is reset.

Step 3

To view a report offline, you can export the report to PDF, CSV or to XML formats. Click Export to PDF,
Export to CSV, or Export to XML at the bottom of the page. Then print or save the file.

282 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Manage Reporting

Configure the Report Expiration Period


When you set the Report Expiration Period, it applies to all Report Types. The firewall automatically deletes
reports that exceed the period.
Configure Report Expiration Periods

Step 1

Select Device > Setup > Management, edit the Logging and Reporting Settings, and select the Log Export and
Reporting tab.

Step 2

Enter the Report Expiration Period in days (range is 1-2000, default is no expiration).
You cant change the storage that the firewall allocates for saving reports: it is predefined at about 200
MB. When the firewall reaches the storage maximum, it automatically deletes older reports to create
space even if you dont set a Report Expiration Period.

Step 3

Click OK and Commit.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 283

Manage Reporting

Monitoring

Disable Predefined Reports


The firewall includes about 40 predefined reports that it automatically generates daily. If you do not use some
or all of these, you can disable selected reports to conserve system resources on the firewall.
Make sure that no report group or PDF summary report includes the predefined reports you will disable.
Otherwise, the firewall will render the PDF summary report or report group without any data.
Disable Predefined Reports

Step 1

Select Device > Setup > Management and edit the Logging and Reporting Settings.

Step 2

Select the Pre-Defined Reports tab and clear the check box for each report you want to disable. To disable all
predefined reports, click Deselect All.

Step 3

Click OK and Commit.

284 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Manage Reporting

Generate Custom Reports


In order to create purposeful custom reports, you must consider the attributes or key pieces of information that
you want to retrieve and analyze. This consideration guides you in making the following selections in a custom
report:
Selection

Description

Data Source

The data file that is used to generate the report. The firewall offers two types of data
sourcesSummary databases and Detailed logs.
Summary databases are available for traffic, threat, and application statistics. The firewall
aggregates the detailed logs on traffic, application, and threat at 15-minute intervals. The
data is condensedduplicate sessions are grouped together and incremented with a
repeat counter, and some attributes (or columns) are not included in the summaryto
allow faster response time when generating reports.
Detailed logs are itemized and are a complete listing of all the attributes (or columns) that
pertain to the log entry. Reports based on detailed logs take much longer to run and are
not recommended unless absolutely necessary.

Attributes

The columns that you want to use as the match criteria. The attributes are the columns that
are available for selection in a report. From the list of Available Columns, you can add the
selection criteria for matching data and for aggregating the details (the Selected Columns).

Sort By/ Group By

The Sort By and the Group By criteria allow you to organize/segment the data in the report;
the sorting and grouping attributes available vary based on the selected data source.
The Sort By option specifies the attribute that is used for aggregation. If you do not select
an attribute to sort by, the report will return the first N number of results without any
aggregation.
The Group By option allows you to select an attribute and use it as an anchor for grouping
data; all the data in the report is then presented in a set of top 5, 10, 25 or 50 groups. For
example, when you select Hour as the Group By selection and want the top 25 groups for
a 24-hr time period, the results of the report will be generated on an hourly basis over a
24-hr period. The first column in the report will be the hour and the next set of columns
will be the rest of your selected report columns.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 285

Manage Reporting

Selection

Monitoring

Description

The following example illustrates how the Selected Columns and Sort By/Group By
criteria work together when generating reports:

The columns circled in red (above) depict the columns selected, which are the attributes that
you match against for generating the report. Each log entry from the data source is parsed
and these columns are matched on. If multiple sessions have the same values for the selected
columns, the sessions are aggregated and the repeat count (or sessions) is incremented.
The column circled in blue indicates the chosen sort order. When the sort order (Sort By)
is specified, the data is sorted (and aggregated) by the selected attribute.
The column circled in green indicates the Group By selection, which serves as an anchor for
the report. The Group By column is used as a match criteria to filter for the top N groups.
Then, for each of the top N groups, the report enumerates the values for all the other
selected columns.

286 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Manage Reporting

Selection

Description

For example, if a report has the following selections


:

The output will display as follows:

The report is anchored by Day and sorted by Sessions. It lists the 5 days (5 Groups) with
maximum traffic in the Last 7 Days time frame. The data is enumerated by the Top 5
sessions for each day for the selected columnsApp Category, App Subcategory and Risk.
Time Period

The date range for which you want to analyze data. You can define a custom range or select
a time period ranging from last 15 minutes to the last 30 days. The reports can be run on
demand or scheduled to run at a daily or weekly cadence.

Query Builder

The query builder allows you to define specific queries to further refine the selected
attributes. It allows you see just what you want in your report using and and or operators
and a match criteria, and then include or exclude data that matches or negates the query in
the report. Queries enable you to generate a more focused collation of information in a
report.

Generate Custom Reports

Step 1

Select Monitor > Manage Custom Reports.

Step 2

Click Add and then enter a Name for the report.


To base a report on an predefined template, click Load Template and choose the template. You can then
edit the template and save it as a custom report.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 287

Manage Reporting

Monitoring

Generate Custom Reports

Step 3

Select the Database to use for the report.

Each time you create a custom report, a Log View report is automatically created. This report show the
logs that were used to build the custom report. The log view report uses the same name as the custom
report, but appends the phrase (Log View) to the report name.
When creating a report group, you can include the log view report with the custom report. For more
information, see Manage Report Groups.
Step 4

Select the Scheduled check box to run the report each night. The report is then available for viewing in the
Reports column on the side.

Step 5

Define the filtering criteria. Select the Time Frame, the Sort By order, Group By preference, and select the
columns that must display in the report.

Step 6

(Optional) Select the Query Builder attributes if you want to further refine the selection criteria. To build a
report query, specify the following and click Add. Repeat as needed to construct the full query.
ConnectorChoose the connector (and/or) to precede the expression you are adding.
NegateSelect the check box to interpret the query as a negation. If, for example, you choose to match
entries in the last 24 hours and/or are originating from the untrust zone, the negate option causes a match
on entries that are not in the past 24 hours and/or are not from the untrust zone.
AttributeChoose a data element. The available options depend on the choice of database.
OperatorChoose the criterion to determine whether the attribute applies (such as =). The available options
depend on the choice of database.
ValueSpecify the attribute value to match.
For example, the following figure (based on the Traffic Log database) shows a query that matches if the traffic
log entry was received in the past 24 hours and is from the untrust zone.

Step 7

To test the report settings, select Run Now. Modify the settings as required to change the information that is
displayed in the report.

Step 8

Click OK to save the custom report.

288 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Manage Reporting

Generate Custom Reports

Examples of Custom Reports

If you want to set up a simple report in which you use the traffic summary database from the last 30 days, and
sort the data by the top 10 sessions and these sessions are grouped into 5 groups by day of the week. You
would set up the custom report to look like this:

And the PDF output for the report would look as follows:

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 289

Manage Reporting

Monitoring

Generate Custom Reports

Now, if you want to use the query builder to generate a custom report that represents the top consumers of network
resources within a user group, you would set up the report to look like this:

The report would display the top users in the product management user group sorted by bytes, as follows:

290 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Manage Reporting

Generate Botnet Reports


The botnet report enables you to use heuristic and behavior-based mechanisms to identify potential malwareor botnet-infected hosts in your network. To evaluate botnet activity and infected hosts, the firewall correlates
user and network activity data in Threat, URL, and Data Filtering logs with the list of malware URLs in
PAN-DB, known dynamic DNS domain providers, and domains registered within the last 30 days. You can
configure the report to identify hosts that visited those sites, as well as hosts that communicated with Internet
Relay Chat (IRC) servers or that used unknown applications. Malware often use dynamic DNS to avoid IP
blacklisting, while IRC servers often use bots for automated functions.
The firewall requires Threat Prevention and URL Filtering licenses to use the botnet report.
You can Use the Automated Correlation Engine to monitor suspicious activities based on
additional indicators besides those that the botnet report uses. However, the botnet report is the
only tool that uses newly registered domains as an indicator.

Configure a Botnet Report

Interpret Botnet Report Output

Configure a Botnet Report


You can schedule a botnet report or run it on demand. The firewall generates scheduled botnet reports every
24 hours because behavior-based detection requires correlating traffic across multiple logs over that timeframe.
Configure a Botnet Report

Step 1

Define the types of traffic that indicate


possible botnet activity.

1.
2.

3.

4.
5.

Palo Alto Networks

Select Monitor > Botnet and click Configuration on the right


side of the page.
Enable and define the Count for each type of HTTP Traffic
that the report will include.
The Count values represent the minimum number of events of
each traffic type that must occur for the report to list the
associated host with a higher confidence score (higher
likelihood of botnet infection). If the number of events is less
than the Count, the report will display a lower confidence score
or (for certain traffic types) wont display an entry for the host.
For example, if you set the Count to three for Malware URL
visit, then hosts that visit three or more known malware URLs
will have higher scores than hosts that visit less than three. For
details, see Interpret Botnet Report Output.
Define the thresholds that determine whether the report will
include hosts associated with traffic involving Unknown TCP
or Unknown UDP applications.
Select the IRC check box to include traffic involving IRC
servers.
Click OK to save the report configuration.

PAN-OS 7.0 Administrators Guide 291

Manage Reporting

Monitoring

Configure a Botnet Report (Continued)

Step 2

Schedule the report or run it on demand. 1.


2.
3.
4.

5.
6.

Click Report Setting on the right side of the page.


Select a time interval for the report in the Test Run Time Frame
drop-down.
Select the No. of Rows to include in the report.
(Optional) Add queries to the Query Builder to filter the report
output by attributes such as source/destination IP addresses,
users, or zones.
For example, if you know in advance that traffic initiated from
the IP address 10.3.3.15 contains no potential botnet activity,
you can add not (addr.src in 10.0.1.35) as a query to
exclude that host from the report output. For details, see
Interpret Botnet Report Output.
Select Scheduled to run the report daily or click Run Now to
run the report immediately.
Click OK and Commit.

Interpret Botnet Report Output


The botnet report displays a line for each host that is associated with traffic you defined as suspicious when
configuring the report. For each host, the report displays a confidence score of 1 to 5 to indicate the likelihood
of botnet infection, where 5 indicates the highest likelihood. The scores correspond to threat severity levels: 1
is informational, 2 is low, 3 is medium, 4 is high, and 5 is critical. The firewall bases the scores on:

Traffic typeCertain HTTP traffic types are more likely to involve botnet activity. For example, the report
assigns a higher confidence to hosts that visit known malware URLs than to hosts that browse to IP domains
instead of URLs, assuming you defined both those activities as suspicious.

Number of eventsHosts that are associated with a higher number of suspicious events will have higher
confidence scores based on the thresholds (Count values) you define when you Configure a Botnet Report.

Executable downloadsThe report assigns a higher confidence to hosts that download executable files.
Executable files are a part of many infections and, when combined with the other types of suspicious traffic,
can help you prioritize your investigations of compromised hosts.

When reviewing the report output, you might find that the sources the firewall uses to evaluate botnet activity
(for example, the list of malware URLs in PAN-DB) have gaps. You might also find that these sources identify
traffic that you consider safe. To compensate in both cases, you can add query filters when you Configure a
Botnet Report.

292 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Manage Reporting

Manage PDF Summary Reports


PDF summary reports contain information compiled from existing reports, based on data for the top 5 in each
category (instead of top 50). They also contain trend charts that are not available in other reports.
Generate PDF Summary Reports

Step 1

Set up a PDF Summary Report.

1.
2.
3.

Select Monitor > PDF Reports > Manage PDF Summary.


Click Add and then enter a Name for the report.
Use the drop-down for each report group and select one or
more of the elements to design the PDF Summary Report. You
can include a maximum of 18 report elements.

To remove an element from the report, click the x icon or


clear the selection from the drop-down for the appropriate
report group.
To rearrange the reports, drag and drop the icons to another
area of the report.
4.
5.

Palo Alto Networks

Click OK to save the report.


Commit the changes.

PAN-OS 7.0 Administrators Guide 293

Manage Reporting

Monitoring

Generate PDF Summary Reports

Step 2

View the report.

294 PAN-OS 7.0 Administrators Guide

To download and view the PDF Summary Report, see View


Reports.

Palo Alto Networks

Monitoring

Manage Reporting

Generate User/Group Activity Reports


User/Group Activity reports summarize the web activity of individual users or user groups. Both reports
include the same information except for the Browsing Summary by URL Category and Browse time calculations,
which only the User Activity report includes.
You must configure User-ID on the firewall to access the list of users and user groups.
Generate User/Group Activity Reports

Step 1

Configure the browse times and number 1.


of logs for User/Group Activity reports.
Required only if you want to change the
default values.

2.

3.

4.

5.

Palo Alto Networks

Select Device > Setup > Management, edit the Logging and
Reporting Settings, and select the Log Export and Reporting
tab.
For the Max Rows in User Activity Report, enter the maximum
number of rows that the detailed user activity report supports
(range is 1-1048576, default is 5000). This determines the
number of logs that the report analyzes.
Enter the Average Browse Time in seconds that you estimate
users should take to browse a web page (range is 0-300, default
is 60). Any request made after the average browse time elapses
is considered a new browsing activity. The calculation uses
Container Pages (logged in the URL Filtering logs) as the basis
and ignores any new web pages that are loaded between the
time of the first request (start time) and the average browse
time. For example, if you set the Average Browse Time to two
minutes and a user opens a web page and views that page for
five minutes, the browse time for that page will still be two
minutes. This is done because the firewall cant determine how
long a user views a given page. The average browse time
calculation ignores sites categorized as web advertisements and
content delivery networks.
For the Page Load Threshold, enter the estimated time in
seconds for page elements to load on the page (default is 20).
Any requests that occur between the first page load and the
page load threshold are assumed to be elements of the page.
Any requests that occur outside of the page load threshold are
assumed to be the user clicking a link within the page.
Click OK to save your changes.

PAN-OS 7.0 Administrators Guide 295

Manage Reporting

Monitoring

Generate User/Group Activity Reports (Continued)

Step 2

Generate the User/Group Activity


report.

1.
2.
3.

Select Monitor > PDF Reports > User Activity Report.


Click Add and then enter a Name for the report.
Create the report:
User Activity ReportSelect User and enter the Username
or IP address (IPv4 or IPv6) of the user.
Group Activity ReportSelect Group and select the Group
Name of the user group.

4.
5.

6.
7.

296 PAN-OS 7.0 Administrators Guide

Select the Time Period for the report.


Optionally, select the Include Detailed Browsing check box
(default is cleared) to include detailed URL logs in the report.
The detailed browsing information can include a large volume
of logs (thousands of logs) for the selected user or user group
and can make the report very large.
To run the report on demand, click Run Now.
To save the report configuration, click OK. You cant save the
output of User/Group Activity reports on the firewall. To
schedule the report for email delivery, see Schedule Reports for
Email Delivery.

Palo Alto Networks

Monitoring

Manage Reporting

Manage Report Groups


Report groups allow you to create sets of reports that the system can compile and send as a single aggregate
PDF report with an optional title page and all the constituent reports included.
Set up Report Groups

Step 1

Set up report groups.


You must set up a Report Group
to email report(s).

1.
2.

Create an Email server profile.


Define the Report Group. A report group can compile
predefined reports, PDF Summary reports, custom reports,
and Log View report into a single PDF.
a. Select Monitor > Report Group.
b. Click Add and then enter a Name for the report group.
c. (Optional) Select Title Page and add a Title for the PDF
output.
d. Select reports from the left column and click Add to move
each report to the report group on the right.

The Log View report is a report type that is automatically


created each time you create a custom report and uses the
same name as the custom report. This report will show the
logs that were used to build the contents of the custom
report.
To include the log view data, when creating a report group,
add your custom report under the Custom Reports list and
then add the log view report by selecting the matching report
name from the Log View list. The report will include the
custom report data and the log data that was used to create
the custom report.
e. Click OK to save the settings.
f. To use the report group, see Schedule Reports for Email
Delivery.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 297

Manage Reporting

Monitoring

Schedule Reports for Email Delivery


Reports can be scheduled for daily delivery or delivered weekly on a specified day. Scheduled reports are
executed starting at 2:00 AM, and email delivery starts after all scheduled reports have been generated.
Schedule Reports for Email Delivery

Step 1

Select Monitor > PDF Reports > Email Scheduler and click Add.

Step 2

Enter a Name to identify the schedule.

Step 3

Select the Report Group for email delivery. To set up a report group; see Manage Report Groups.

Step 4

For the Email Profile, select an Email Server profile to use for delivering the reports, or click the Email Profile
link to Create an Email server profile.

Step 5

Select the frequency at which to generate and send the report in Recurrence.

Step 6

The Override Recipient email(s) allows you to send this report exclusively to the recipients specified in this
field. When you add recipients to the field, the report is not sent to the recipients configured in the email server
profile. Use this option for those occasions when the report is for the attention of someone other than the
administrators or recipients defined in the email server profile.

298 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Use External Services for Monitoring

Use External Services for Monitoring


Using an external service to monitor the firewall enables you to receive alerts for important events, archive
monitored information on systems with dedicated long-term storage, and integrate with third-party security
monitoring tools. The following are some common scenarios for using external services:

For immediate notification about important system events or threats, you can Monitor Device Statistics
Using SNMP, Forward Traps to an SNMP Manager, or Configure Email Alerts.

For long-term log storage and centralized firewall monitoring, you can Configure Syslog Monitoring to
send log data to a syslog server. This enables integration with third-party security monitoring tools such as
Splunk! or ArcSight.

For monitoring statistics on the IP traffic that traverses firewall interfaces, you can Configure NetFlow
Exports to view the statistics in a NetFlow collector.

You can Configure Log Forwarding from the firewalls directly to external services or from the firewalls to
Panorama and then configure Panorama to forward logs to the servers. Refer to Log Forwarding Options for
the factors to consider when deciding where to forward logs.
You cant aggregate NetFlow records on Panorama; you must send them directly from the
firewalls to a NetFlow collector.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 299

Configure Log Forwarding

Monitoring

Configure Log Forwarding


To use Panorama or Use External Services for Monitoring the firewall, you must configure the firewall to
forward its logs. Before forwarding to external services, the firewall automatically converts the logs to the
necessary format: syslog messages, SNMP traps, or email notifications. Before starting this procedure, ensure
that Panorama or the external server that will receive the log data is already set up.
The PA-7000 Series firewall cant forward logs to Panorama, only to external services. However,
when you use Panorama to monitor logs or generate reports for a device group that includes a
PA-7000 Series firewall, Panorama queries the PA-7000 Series firewall in real-time to display its
log data.
You can forward logs from the firewalls directly to external services or from the firewalls to
Panorama and then configure Panorama to forward logs to the servers. Refer to Log Forwarding
Options for the factors to consider when deciding where to forward logs.
You can use Secure Copy (SCP) commands from the CLI to export the entire log database to an
SCP server and import it to another firewall. Because the log database is too large for an export
or import to be practical on the PA-7000 Series firewall, it does not support these options. You
can also use the web interface on all platforms to Schedule Log Exports to an SCP or FTP Server,
but only on a per log type basis, not the entire log database.

Configure Log Forwarding

Step 1

Configure a server profile for each


Create an Email server profile.
external service that will receive log data. Configure an SNMP Trap server profile. To enable the SNMP
manager (trap server) to interpret firewall traps, you must load the
You can use separate profiles to
Palo Alto Networks Supported MIBs into the SNMP manager
send each log type to a different
and, if necessary, compile them. For details, refer to your SNMP
server. To increase availability,
management software documentation.
define multiple servers in a single
profile.
Configure a Syslog server profile. If the syslog server requires
client authentication, you must also Create a certificate to secure
syslog communication over SSL.

Step 2

Create a log forwarding profile.


The profile defines the destinations for
Traffic, Threat, and WildFire Submission
logs. (Threat logs include URL Filtering
and Data Filtering logs.)

1.
2.

3.

Select Objects > Log Forwarding and click Add.


Enter a Name to identify the profile. If you want the firewall to
automatically assign the profile to new security rules and zones,
enter default. If you dont want a default profile, or you want
to override an existing default profile, enter a Name that will
help you identify the profile when assigning it to security rules
and zones.
If no log forwarding profile named default exists, the
profile selection is set to None by default in new security
rules (Log Forwarding field) and new security zones
(Log Setting field), although you can change the
selection.
Perform the following steps for each log type and each severity
level or WildFire verdict:
a. Select the Panorama check box if you want to aggregate
firewall logs on Panorama. (You can then configure
Panorama to forward the logs to external services.)
b. Select the SNMP Trap, Email, or Syslog server profile you
configured for this log type, and click OK.

300 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Configure Log Forwarding

Configure Log Forwarding (Continued)

Step 3

Assign the log forwarding profile to


security rules.

Perform the following steps for each rule that will trigger log
forwarding:
Policies > Security and click the rule.
To trigger log generation and forwarding, 1. Select
the rules require certain Security Profiles 2. Select the Actions tab and select the Log Forwarding profile
you just created.
according to log type:
3. In the Profile Type drop-down, select Profiles or Group, and
Traffic logsNo security profile is
then select the security profiles or Group Profile required to
necessary; the traffic only needs to
trigger log generation and forwarding.
match a specific security rule.
4.
For Traffic logs, select one or both of the Log At Session Start
Threat logsThe traffic must match
and
Log At Session End check boxes, and click OK.
any security profile assigned to a
security rule.
WildFire logsThe traffic must match
a WildFire Analysis profile assigned to
a security rule.

Step 4

Configure the destinations of System,


1.
Config, HIP Match, and Correlation logs. 2.

Select Device > Log Settings.


Perform the following steps for each log type. For System and
Correlation logs, start by clicking the Severity level. For Config
and HIP Match logs, start by clicking the Edit icon.
a. Select the Panorama check box if you want to aggregate
firewall logs on Panorama. You can then configure
Panorama to forward the logs to the external services.
b. Select the SNMP Trap, Email, or Syslog server profile you
configured for this log type and click OK.

Step 5

(PA-7000 Series firewalls only) Configure 1.


a log card interface to perform log
forwarding.
2.
3.
4.
5.

Step 6

Commit and verify your changes.

1.
2.

Select Network > Interfaces > Ethernet and click Add


Interface.
Select the Slot and Interface Name.
For the Interface Type, select Log Card.
Enter the IP Address, Default Gateway, and (for IPv4 only)
Netmask.
Click OK to save the interface.
Click Commit to complete the log forwarding configuration.
Verify the log destinations you configured are receiving firewall
logs:
PanoramaIf the firewall forwards logs to an M-Series
appliance, you must configure a Collector Group before
Panorama will receive the logs. You can then verify log
forwarding.
Email serverVerify that the specified recipients are
receiving logs as email notifications.
Syslog serverRefer to the documentation for your syslog
server to verify it is receiving logs as syslog messages.
SNMP managerUse an SNMP Manager to Explore MIBs
and Objects to verify it is receiving logs as SNMP traps.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 301

Configure Email Alerts

Monitoring

Configure Email Alerts


You can configure email alerts for System, Config, HIP Match, Correlation, Threat, WildFire Submission, and
Traffic logs.
Configure Email Alerts

Step 1

Create an Email server profile.


You can use separate profiles to
send email notifications for each
log type to a different server. To
increase availability, define
multiple servers (up to four) in a
single profile.

1.
2.
3.
4.

Select Device > Server Profiles > Email.


Click Add and then enter a Name for the profile.
If the firewall has more than one virtual system (vsys), select the
Location (vsys or Shared) where this profile is available.
For each Simple Mail Transport Protocol (SMTP) server (email
server), click Add and define the following information:
NameName to identify the SMTP server (1-31
characters). This field is just a label and doesnt have to be
the hostname of an existing email server.
Email Display NameThe name to show in the From field
of the email.
FromThe email address from which the Palo Alto
Networks device sends emails.
ToThe email address to which the Palo Alto Networks
device sends emails.
Additional RecipientIf you want to send emails to a
second account, enter the address here. You can add only
one additional recipient. For multiple recipients, add the
email address of a distribution list.
Email GatewayThe IP address or hostname of the SMTP
gateway to use for sending emails.

5.

6.
Step 2

Configure email alerts for Traffic, Threat, 1.


and WildFire Submission logs.

(Optional) Select the Custom Log Format tab and customize


the format of the email messages. For details on how to create
custom formats for the various log types, refer to the Common
Event Format Configuration Guide.
Click OK to save the Email server profile.
Create a log forwarding profile.
a. Select Objects > Log Forwarding, click Add, and enter a
Name to identify the profile.
b. For each log type and each severity level or WildFire verdict,
select the Email server profile and click OK.

2.
Step 3

Configure email alerts for System, Config, 1.


HIP Match, and Correlation logs.
2.
3.
4.

302 PAN-OS 7.0 Administrators Guide

Assign the log forwarding profile to security rules.


Select Device > Log Settings.
For System and Correlation logs, click each Severity level, select
the Email server profile, and click OK.
For Config and HIP Match logs, click the Edit icon, select the
Email server profile, and click OK.
Click Commit.

Palo Alto Networks

Monitoring

Use Syslog for Monitoring

Use Syslog for Monitoring


Syslog is a standard log transport mechanism that enables the aggregation of log data from different network
devicessuch as routers, firewalls, printersfrom different vendors into a central repository for archiving,
analysis, and reporting. Palo Alto Networks devices can forward every type of log they generate to an external
syslog server. You can use TCP or SSL for reliable and secure log forwarding, or UDP for non-secure
forwarding.

Configure Syslog Monitoring

Syslog Field Descriptions

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 303

Use Syslog for Monitoring

Monitoring

Configure Syslog Monitoring


To Use Syslog for Monitoring a Palo Alto Networks device, create a Syslog server profile and assign it to the
device log settings for each log type. Optionally, you can configure the header format used in syslog messages
and enable client authentication for syslog over SSL.
Configure Syslog Monitoring

Step 1

Configure a Syslog server profile.

1.
2.
You can use separate profiles to
send syslogs for each log type to a 3.
different server. To increase
availability, define multiple servers 4.
(up to four) in a single profile.

Select Device > Server Profiles > Syslog.


Click Add and enter a Name for the profile.
If the firewall has more than one virtual system (vsys), select the
Location (vsys or Shared) where this profile is available.
For each syslog server, click Add and enter the information that
the firewall requires to connect to it:
NameUnique name for the server profile.
ServerIP address or fully qualified domain name
(FQDN) of the syslog server.
TransportSelect TCP, UDP, or SSL as the method of
communication with the syslog server.
PortThe port number on which to send syslog messages
(default is UDP on port 514); you must use the same port
number on the firewall and the syslog server.
FormatSelect the syslog message format to use: BSD (the
default) or IETF. Traditionally, BSD format is over UDP and
IETF format is over TCP or SSL.
FacilitySelect a syslog standard value (default is
LOG_USER) to calculate the priority (PRI) field in your
syslog server implementation. Select the value that maps to
how you use the PRI field to manage your syslog messages.

5.

6.
Step 2

Configure syslog forwarding for Traffic,


Threat, and WildFire Submission logs.

1.

(Optional) To customize the format of the syslog messages that


the firewall sends, select the Custom Log Format tab. For
details on how to create custom formats for the various log
types, refer to the Common Event Format Configuration
Guide.
Click OK to save the server profile.
Create a log forwarding profile.
a. Select Objects > Log Forwarding, click Add, and enter a
Name to identify the profile.
b. For each log type and each severity level or WildFire verdict,
select the Syslog server profile and click OK.

2.

304 PAN-OS 7.0 Administrators Guide

Assign the log forwarding profile to security rules.

Palo Alto Networks

Monitoring

Use Syslog for Monitoring

Configure Syslog Monitoring (Continued)

Step 3

Configure syslog forwarding for System, 1.


Config, HIP Match, and Correlation logs. 2.
3.

Step 4

(Optional) Configure the header format


of syslog messages.

1.

The log data includes the unique identifier 2.


of the device that generated the log.
Choosing the header format provides
more flexibility in filtering and reporting
on the log data for some Security
Information and Event Management
(SIEM) servers.
This is a global setting and applies to all
syslog server profiles configured on the
device.

Select Device > Log Settings.


For System and Correlation logs, click each Severity level, select
the Syslog server profile, and click OK.
For Config, HIP Match, and Correlation logs, click the Edit
icon, select the Syslog server profile, and click OK.
Select Device > Setup > Management and edit the Logging and
Reporting Settings.
Select the Log Export and Reporting tab and select the Syslog
HOSTNAME Format:
FQDN (default)Concatenates the hostname and domain
name defined on the sending device.
hostnameUses the hostname defined on the sending
device.
ipv4-addressUses the IPv4 address of the device
interface used to send logs. By default, this is the MGT
interface.
ipv6-addressUses the IPv6 address of the device
interface used to send logs. By default, this is the MGT
interface.
noneLeaves the hostname field unconfigured on the
device. There is no identifier for the device that sent the logs.

Step 5

Create a certificate to secure syslog


communication over SSL.

3.

Click OK to save your changes.

1.

Select Device > Certificate Management > Certificates >


Device Certificates and click Generate.
Enter a Name for the certificate.
In the Common Name field, enter the IP address of the device
sending logs to the syslog server.
In Signed by, select the trusted CA or the self-signed CA that
the syslog server and the sending device both trust.
The certificate cant be a Certificate Authority nor an External
Authority (certificate signing request [CSR]).
Click Generate. The device generates the certificate and key
pair.
Click the certificate Name to edit it, select the Certificate for
Secure Syslog check box, and click OK.

2.
Required only if the syslog server uses
client authentication. The syslog server 3.
uses the certificate to verify that the
device is authorized to communicate with 4.
the syslog server.
Ensure the following conditions are met:
The private key must be available on
the sending device; the keys cant
5.
reside on a Hardware Security Module
(HSM).
6.
The subject and the issuer for the
certificate must not be identical.
The syslog server and the sending
device must have certificates that the
same trusted certificate authority (CA)
signed. Alternatively, you can generate
a self-signed certificate on the device,
export the certificate from the device,
and import it in to the syslog server.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 305

Use Syslog for Monitoring

Monitoring

Configure Syslog Monitoring (Continued)

Step 6

Commit your changes and review the logs 1.


on the syslog server.
2.

306 PAN-OS 7.0 Administrators Guide

Click Commit.
To review the logs, refer to the documentation of your syslog
management software. You can also review the Syslog Field
Descriptions.

Palo Alto Networks

Monitoring

Use Syslog for Monitoring

Syslog Field Descriptions


The following topics list the standard fields of each log type that Palo Alto Networks devices can forward to an
external server, as well as the severity levels, custom formats, and escape sequences. To facilitate parsing, the
delimiter is a comma: each field is a comma-separated value (CSV) string. The FUTURE_USE tag applies to
fields that the devices do not currently implement.
WildFire Submission logs are a subtype of Threat log and use the same syslog format.

Traffic Logs

Threat Logs

HIP Match Logs

Config Logs

System Logs

Syslog Severity

Custom Log/Event Format

Escape Sequences

Traffic Logs
Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time,
Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User,
Application, Virtual System, Source Zone, Destination Zone, Ingress Interface, Egress Interface, Log
Forwarding Profile, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source
Port, NAT Destination Port, Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time,
Elapsed Time, Category, FUTURE_USE, Sequence Number, Action Flags, Source Location, Destination
Location, FUTURE_USE, Packets Sent, Packets Received, Session End Reason, Device Group Hierarchy
Level 1*, Device Group Hierarchy Level 2*, Device Group Hierarchy Level 3*, Device Group Hierarchy
Level 4*, Virtual System Name*, Device Name*, Action Source*
Field Name

Description

Receive Time (receive_time)

Time the log was received at the management plane

Serial Number (serial)

Serial number of the device that generated the log

Type (type)

Specifies type of log; values are traffic, threat, config, system and hip-match

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 307

Use Syslog for Monitoring

Monitoring

Field Name

Description

Subtype (subtype)

Subtype of traffic log; values are start, end, drop, and deny
Startsession started
Endsession ended
Dropsession dropped before the application is identified and there is no
rule that allows the session.
Denysession dropped after the application is identified and there is a rule
to block or no rule that allows the session.

Generated Time (time_generated)

Time the log was generated on the dataplane

Source IP (src)

Original session source IP address

Destination IP (dst)

Original session destination IP address

NAT Source IP (natsrc)

If Source NAT performed, the post-NAT Source IP address

NAT Destination IP (natdst)

If Destination NAT performed, the post-NAT Destination IP address

Rule Name (rule)

Name of the rule that the session matched

Source User (srcuser)

Username of the user who initiated the session

Destination User (dstuser)

Username of the user to which the session was destined

Application (app)

Application associated with the session

Virtual System (vsys)

Virtual System associated with the session

Source Zone (from)

Zone the session was sourced from

Destination Zone (to)

Zone the session was destined to

Ingress Interface (inbound_if)

Interface that the session was sourced form

Egress Interface (outbound_if)

Interface that the session was destined to

Log Forwarding Profile (logset)

Log Forwarding Profile that was applied to the session

Session ID (sessionid)

An internal numerical identifier applied to each session

Repeat Count (repeatcnt)

Number of sessions with same Source IP, Destination IP, Application, and
Subtype seen within 5 seconds; used for ICMP only

Source Port (sport)

Source port utilized by the session

Destination Port (dport)

Destination port utilized by the session

NAT Source Port (natsport)

Post-NAT source port

NAT Destination Port (natdport)

Post-NAT destination port

308 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Use Syslog for Monitoring

Field Name

Description

Flags (flags)

32-bit field that provides details on session; this field can be decoded by
AND-ing the values with the logged value:
0x80000000session has a packet capture (PCAP)
0x02000000IPv6 session
0x01000000SSL session was decrypted (SSL Proxy)
0x00800000session was denied via URL filtering
0x00400000session has a NAT translation performed (NAT)
0x00200000user information for the session was captured via the captive
portal (Captive Portal)
0x00080000X-Forwarded-For value from a proxy is in the source user field
0x00040000log corresponds to a transaction within a http proxy session
(Proxy Transaction)
0x00008000session is a container page access (Container Page)
0x00002000session has a temporary match on a rule for implicit application
dependency handling. Available in PAN-OS 5.0.0 and above.
0x00000800symmetric return was used to forward traffic for this session

Protocol (proto)

IP protocol associated with the session

Action (action)

Action taken for the session; possible values are:


Allowsession was allowed by policy
Denysession was denied by policy
Dropsession was dropped silently
Drop ICMPsession was silently dropped with an ICMP unreachable
message to the host or application
Reset bothsession was terminated and a TCP reset is sent to both the sides
of the connection
Reset clientsession was terminated and a TCP reset is sent to the client
Reset serversession was terminated and a TCP reset is sent to the server

Bytes (bytes)

Number of total bytes (transmit and receive) for the session

Bytes Sent (bytes_sent)

Number of bytes in the client-to-server direction of the session


Available on all models except the PA-4000 Series

Bytes Received (bytes_received)

Number of bytes in the server-to-client direction of the session


Available on all models except the PA-4000 Series

Packets (packets)

Number of total packets (transmit and receive) for the session

Start Time (start)

Time of session start

Elapsed Time (elapsed)

Elapsed time of the session

Category (category)

URL category associated with the session (if applicable)

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 309

Use Syslog for Monitoring

Monitoring

Field Name

Description

Sequence Number (seqno)

A 64-bit log entry identifier incremented sequentially; each log type has a unique
number space. This field is not supported on PA-7000 Series firewalls.

Action Flags (actionflags)

A bit field indicating if the log was forwarded to Panorama

Source Location (srcloc)

Source country or Internal region for private addresses; maximum length is 32


bytes

Destination Location (dstloc)

Destination country or Internal region for private addresses. Maximum length is


32 bytes

Packets Sent (pkts_sent)

Number of client-to-server packets for the session


Available on all models except the PA-4000 Series

Packets Received (pkts_received)

Number of server-to-client packets for the session


Available on all models except the PA-4000 Series

Session End Reason


(session_end_reason)

The reason a session terminated. If the termination had multiple causes, this field
displays only the highest priority reason. The possible session end reason values
are as follows, in order of priority (where the first is highest):
threatThe firewall detected a threat associated with a reset, drop, or block
(IP address) action.
policy-denyThe session matched a security rule with a deny or drop action.
tcp-rst-from-clientThe client sent a TCP reset to the server.
tcp-rst-from-serverThe server sent a TCP reset to the client.
resources-unavailableThe session dropped because of a system resource
limitation. For example, the session could have exceeded the number of
out-of-order packets allowed per flow or the global out-of-order packet queue.
tcp-finOne host or both hosts in the connection sent a TCP FIN message
to close the session.
tcp-reuseA session is reused and the firewall closes the previous session.
decoderThe decoder detects a new connection within the protocol (such as
HTTP-Proxy) and ends the previous connection.
aged-outThe session aged out.
unknownThis value applies in the following situations:
Session terminations that the preceding reasons do not cover (for
example, a clear session all command).
For logs generated in a PAN-OS release that does not support the session
end reason field (releases older than PAN-OS 6.1), the value will be
unknown after an upgrade to the current PAN-OS release or after the logs
are loaded onto the firewall.
In Panorama, logs received from firewalls for which the PAN-OS version
does not support session end reasons will have a value of unknown.
n/aThis value applies when the traffic log type is not end.

310 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Use Syslog for Monitoring

Field Name

Description

Device Group Hierarchy


(dg_hier_level_1 to
dg_hier_level_4)

A sequence of identification numbers that indicate the device groups location


within a device group hierarchy. The firewall (or virtual system) generating the
log includes the identification number of each ancestor in its device group
hierarchy. The shared device group (level 0) is not included in this structure.

New in v7.0!

If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall
(or virtual system) that belongs to device group 45, and its ancestors are 34, and
12. To view the device group names that correspond to the value 12, 34 or 45,
use one of the following methods:
CLI command in configure mode: show readonly dg-meta-data
API query:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarch
y></show>

Virtual System Name (vsys_name) The name of the virtual system associated with the session; only valid on firewalls
New in v7.0!

enabled for multiple virtual systems.

Device Name (device_name)

The hostname of the firewall on which the session was logged.

New in v7.0!

Action Source (action_source)


New in v7.0!

Palo Alto Networks

Specifies whether the action taken to allow or block an application was defined
in the application or in policy. The actions can be allow, deny, drop, reset- server,
reset-client or reset-both for the session.

PAN-OS 7.0 Administrators Guide 311

Use Syslog for Monitoring

Monitoring

Threat Logs
Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time,
Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User,
Application, Virtual System, Source Zone, Destination Zone, Ingress Interface, Egress Interface, Log
Forwarding Profile, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source
Port, NAT Destination Port, Flags, Protocol, Action, Miscellaneous, Threat ID, Category, Severity, Direction,
Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Content Type,
PCAP_id, Filedigest, Cloud, URL Index*, User Agent, File Type, X-Forwarded-For, Referer, Sender, Subject,
Recipient, Report ID, Device Group Hierarchy Level 1*, Device Group Hierarchy Level 2*, Device Group
Hierarchy Level 3*, Device Group Hierarchy Level 4*, Virtual System Name*, Device Name*, FUTURE_USE,
Field Name

Description

Receive Time (receive_time)

Time the log was received at the management plane

Serial Number (serial)

Serial number of the device that generated the log

Type (type)

Specifies type of log; values are traffic, threat, config, system and hip-match

Subtype (subtype)

Subtype of threat log; values are URL, virus, spyware, vulnerability, file, scan, flood,
data, and WildFire:
urlURL filtering log
virusvirus detection
spywarespyware detection
vulnerabilityvulnerability exploit detection
filefile type log
scanscan detected via Zone Protection Profile
floodflood detected via Zone Protection Profile
datadata pattern detected from Data Filtering Profile
wildfireWildFire Submission log

Generated Time
(time_generated)

Time the log was generated on the dataplane

Source IP (src)

Original session source IP address

Destination IP (dst)

Original session destination IP address

NAT Source IP (natsrc)

If source NAT performed, the post-NAT source IP address

NAT Destination IP (natdst)

If destination NAT performed, the post-NAT destination IP address

Rule Name (rule)

Name of the rule that the session matched

Source User (srcuser)

Username of the user who initiated the session

Destination User (dstuser)

Username of the user to which the session was destined

Application (app)

Application associated with the session

Virtual System (vsys)

Virtual System associated with the session

312 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Use Syslog for Monitoring

Field Name

Description

Source Zone (from)

Zone the session was sourced from

Destination Zone (to)

Zone the session was destined to

Ingress Interface

Interface that the session was sourced from

(inbound_if)
Egress Interface

Interface that the session was destined to

(outbound_if)
Log Forwarding Profile

Log Forwarding Profile that was applied to the session

(logset)
Session ID (sessionid)

An internal numerical identifier applied to each session

Repeat Count (repeatcnt)

Number of sessions with same Source IP, Destination IP, Application, and Subtype
seen within 5 seconds; used for ICMP only

Source Port (sport)

Source port utilized by the session

Destination Port (dport)

Destination port utilized by the session

NAT Source Port (natsport)

Post-NAT source port

NAT Destination Port


(natdport)

Post-NAT destination port

Flags (flags)

32-bit field that provides details on session; this field can be decoded by AND-ing the
values with the logged value:
0x80000000session has a packet capture (PCAP)
0x02000000IPv6 session
0x01000000SSL session was decrypted (SSL Proxy)
0x00800000session was denied via URL filtering
0x00400000session has a NAT translation performed (NAT)
0x00200000user information for the session was captured via the captive portal
(Captive Portal)
0x00080000X-Forwarded-For value from a proxy is in the source user field
0x00040000log corresponds to a transaction within a http proxy session (Proxy
Transaction)
0x00008000session is a container page access (Container Page)
0x00002000session has a temporary match on a rule for implicit application
dependency handling. Available in PAN-OS 5.0.0 and above
0x00000800symmetric return was used to forward traffic for this session

Protocol (proto)

Palo Alto Networks

IP protocol associated with the session

PAN-OS 7.0 Administrators Guide 313

Use Syslog for Monitoring

Monitoring

Field Name

Description

Action (action)

Action taken for the session; values are alert, allow, deny, drop, drop-all-packets,
reset-client, reset-server, reset-both, block-url.
Alertthreat or URL detected but not blocked
Allowflood detection alert
Denyflood detection mechanism activated and deny traffic based on
configuration
Dropthreat detected and associated session was dropped
Drop-all-packetsthreat detected and session remains, but drops all packets
Reset-clientthreat detected and a TCP RST is sent to the client
Reset-serverthreat detected and a TCP RST is sent to the server
Reset-boththreat detected and a TCP RST is sent to both the client and the server
Block-urlURL request was blocked because it matched a URL category that was
set to be blocked

Miscellaneous (misc)

Field with variable length with a maximum of 1023 characters


The actual URI when the subtype is URL
File name or file type when the subtype is file
File name when the subtype is virus
File name when the subtype is WildFire

Threat ID (threatid)

Palo Alto Networks identifier for the threat. It is a description string followed by a
64-bit numerical identifier in parentheses for some Subtypes:
8000 8099scan detection
8500 8599flood detection
9999URL filtering log
10000 19999sypware phone home detection
20000 29999spyware download detection
30000 44999vulnerability exploit detection
52000 52999filetype detection
60000 69999data filtering detection
100000 2999999virus detection
3000000 3999999WildFire signature feed
4000000-4999999DNS Botnet signatures

Category (category)

For URL Subtype, it is the URL Category; For WildFire subtype, it is the verdict on the
file and is either malicious, grayware, or benign; For other subtypes, the value is
any.

Severity (severity)

Severity associated with the threat; values are informational, low, medium, high, critical

314 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Use Syslog for Monitoring

Field Name

Description

Direction (direction)

Indicates the direction of the attack, client-to-server or server-to-client:


0direction of the threat is client to server
1direction of the threat is server to client

Sequence Number (seqno)

A 64-bit log entry identifier incremented sequentially. Each log type has a unique
number space. This field is not supported on PA-7000 Series firewalls.

Action Flags (actionflags)

A bit field indicating if the log was forwarded to Panorama.

Source Location (srcloc)

Source country or Internal region for private addresses. Maximum length is 32 bytes.

Destination Location (dstloc)

Destination country or Internal region for private addresses. Maximum length is 32


bytes.

Content Type (contenttype)

Applicable only when Subtype is URL.


Content type of the HTTP response data. Maximum length 32 bytes.

PCAP ID (pcap_id)

The packet capture (pcap) ID is a 64 bit unsigned integral denoting an ID to correlate


threat pcap files with extended pcaps taken as a part of that flow. All threat logs will
contain either a pcap_id of 0 (no associated pcap), or an ID referencing the extended
pcap file.

File Digest (filedigest)

Only for WildFire subtype; all other types do not use this field
The filedigest string shows the binary hash of the file sent to be analyzed by the
WildFire service.

Cloud (cloud)

Only for WildFire subtype; all other types do not use this field.
The cloud string displays the FQDN of either the WildFire appliance (private) or the
WildFire cloud (public) from where the file was uploaded for analysis.

URL Index (url_idx)

Used in URL Filtering and WildFire subtypes.

New in v7.0!

When an application uses TCP keepalives to keep a connection open for a length of
time, all the log entries for that session have a single session ID. In such cases, when
you have a single threat log (and session ID) that includes multiple URL entries, the
url_idx is a counter that allows you to correlate the order of each log entry within the
single session.
For example, to learn the URL of a file that the firewall forwarded to WildFire for
analysis, locate the session ID and the url_idx from the WildFire Submissions log and
search for the same session ID and url_idx in your URL filtering logs. The log entry
that matches the session ID and url_idx will contain the URL of the file that was
forwarded to WildFire.

User Agent (user_agent)

Only for the URL Filtering subtype; all other types do not use this field.
The User Agent field specifies the web browser that the user used to access the URL,
for example Internet Explorer. This information is sent in the HTTP request to the
server.

File Type (filetype)

Only for WildFire subtype; all other types do not use this field.
Specifies the type of file that the firewall forwarded for WildFire analysis.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 315

Use Syslog for Monitoring

Monitoring

Field Name

Description

X-Forwarded-For (xff)

Only for the URL Filtering subtype; all other types do not use this field.
The X-Forwarded-For field in the HTTP header contains the IP address of the user
who requested the web page. It allows you to identify the IP address of the user, which
is useful particularly if you have a proxy server on your network that replaces the user
IP address with its own address in the source IP address field of the packet header.

Referer (referer)

Only for the URL Filtering subtype; all other types do not use this field.
The Referer field in the HTTP header contains the URL of the web page that linked
the user to another web page; it is the source that redirected (referred) the user to the
web page that is being requested.

Sender (sender)

Only for WildFire subtype; all other types do not use this field.
Specifies the name of the sender of an email that WildFire determined to be malicious
when analyzing an email link forwarded by the firewall.

Subject (subject)

Only for WildFire subtype; all other types do not use this field.
Specifies the subject of an email that WildFire determined to be malicious when
analyzing an email link forwarded by the firewall.

Recipient (recipient)

Only for WildFire subtype; all other types do not use this field.
Specifies the name of the receiver of an email that WildFire determined to be malicious
when analyzing an email link forwarded by the firewall.

Report ID (reportid)

Only for WildFire subtype; all other types do not use this field.
Identifies the analysis request on the WildFire cloud or the WildFire appliance.

Device Group Hierarchy


(dg_hier_level_1 to
dg_hier_level_4)
New in v7.0!

A sequence of identification numbers that indicate the device groups location within
a device group hierarchy. The firewall (or virtual system) generating the log includes the
identification number of each ancestor in its device group hierarchy. The shared device
group (level 0) is not included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or
virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To
view the device group names that correspond to the value 12, 34 or 45, use one of the
following methods:
CLI command in configure mode: show readonly dg-meta-data
API query:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></
show>

Virtual System Name


(vsys_name)

The name of the virtual system associated with the session; only valid on firewalls
enabled for multiple virtual systems.

New in v7.0!

Device Name (device_name) The hostname of the firewall on which the session was logged.
New in v7.0!

316 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Use Syslog for Monitoring

HIP Match Logs


Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time,
Source User, Virtual System, Machine name, OS, Source Address, HIP, Repeat Count, HIP Type,
FUTURE_USE, FUTURE_USE, Sequence Number, Action Flags, Device Group Hierarchy Level 1*, Device
Group Hierarchy Level 2*, Device Group Hierarchy Level 3*, Device Group Hierarchy Level 4*, Virtual System
Name*, Device Name*
Field Name

Description

Receive Time
(receive_time)

Time the log was received at the management plane

Serial Number (serial)

Serial number of the device that generated the log

Type (type)

Type of log; values are traffic, threat, config, system and hip-match

Subtype (subtype)

Subtype of HIP match log; unused

Generated Time
(time_generated)

Time the log was generated on the dataplane

Source User (srcuser)

Username of the user who initiated the session

Virtual System (vsys)

Virtual System associated with the HIP match log

Machine Name
(machinename)

Name of the users machine

OS

The operating system installed on the users machine or device (or on the client system)

Source Address (src)

IP address of the source user

HIP (matchname)

Name of the HIP object or profile

Repeat Count (repeatcnt)

Number of times the HIP profile matched

HIP Type (matchtype)

Whether the hip field represents a HIP object or a HIP profile

Sequence Number (seqno) A 64-bit log entry identifier incremented sequentially; each log type has a unique number
space. This field is not supported on PA-7000 Series firewalls.
Action Flags (actionflags)

A bit field indicating if the log was forwarded to Panorama

Device Group Hierarchy A sequence of identification numbers that indicate the device groups location within a
device group hierarchy. The firewall (or virtual system) generating the log includes the
(dg_hier_level_1 to
identification number of each ancestor in its device group hierarchy. The shared device
dg_hier_level_4)
New in v7.0!

group (level 0) is not included in this structure.

If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual
system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device
group names that correspond to the value 12, 34 or 45, use one of the following methods:
CLI command in configure mode: show readonly dg-meta-data
API query:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></sho
w>

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 317

Use Syslog for Monitoring

Monitoring

Field Name

Description

Virtual System Name


(vsys_name)

The name of the virtual system associated with the session; only valid on firewalls enabled
for multiple virtual systems.

New in v7.0!

Device Name
(device_name)

The hostname of the firewall on which the session was logged.

New in v7.0!

Config Logs
Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time,
Host, Virtual System, Command, Admin, Client, Result, Configuration Path, Sequence Number, Action Flags,
Before Change Detail, After Change Detail, Device Group Hierarchy Level 1*, Device Group Hierarchy Level
2*, Device Group Hierarchy Level 3*, Device Group Hierarchy Level 4*, Virtual System Name*, Device Name*
Field Name

Description

Receive Time
(receive_time)

Time the log was received at the management plane

Serial Number (serial)

Serial number of the device that generated the log

Type (type)

Type of log; values are traffic, threat, config, system and hip-match

Subtype (subtype)

Subtype of configuration log; unused

Generated Time
(time_generated)

Time the log was generated on the dataplane

Host (host)

Hostname or IP address of the client machine

Virtual System (vsys)

Virtual System associated with the configuration log

Command (cmd)

Command performed by the Admin; values are add, clone, commit, delete, edit, move,
rename, set.

Admin (admin)

Username of the Administrator performing the configuration

Client (client)

Client used by the Administrator; values are Web and CLI

Result (result)

Result of the configuration action; values are Submitted, Succeeded, Failed, and
Unauthorized

Configuration Path (path)

The path of the configuration command issued; up to 512 bytes in length

Sequence Number (seqno) A 64bit log entry identifier incremented sequentially; each log type has a unique number
space. This field is not supported on PA-7000 Series firewalls.
Action Flags (actionflags)

A bit field indicating if the log was forwarded to Panorama.

Before Change Detail


(before_change_detail)

This field is in custom logs only; it is not in the default format.


It contains the full xpath before the configuration change.

318 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Use Syslog for Monitoring

Field Name

Description

After Change Detail


(after_change_detail)

This field is in custom logs only; it is not in the default format.


It contains the full xpath after the configuration change.

Device Group Hierarchy A sequence of identification numbers that indicate the device groups location within a
device group hierarchy. The firewall (or virtual system) generating the log includes the
(dg_hier_level_1 to
identification number of each ancestor in its device group hierarchy. The shared device
dg_hier_level_4)
New in v7.0!

group (level 0) is not included in this structure.

If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual
system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device
group names that correspond to the value 12, 34 or 45, use one of the following methods:
CLI command in configure mode: show readonly dg-meta-data
API query:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></sho
w>

Virtual System Name


(vsys_name)

The name of the virtual system associated with the session; only valid on firewalls enabled
for multiple virtual systems.

New in v7.0!

Device Name
(device_name)

The hostname of the firewall on which the session was logged.

New in v7.0!

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 319

Use Syslog for Monitoring

Monitoring

System Logs
Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time,
Virtual System, Event ID, Object, FUTURE_USE, FUTURE_USE, Module, Severity, Description, Sequence
Number, Action Flags, Device Group Hierarchy Level 1*, Device Group Hierarchy Level 2*, Device Group
Hierarchy Level 3*, Device Group Hierarchy Level 4*, Virtual System Name*, Device Name*
Field Name

Description

Receive Time (receive_time) Time the log was received at the management plane
Serial Number (serial)

Serial number of the device that generated the log

Type (type)

Type of log; values are traffic, threat, config, system and hip-match

Subtype (subtype)

Subtype of the system log; refers to the system daemon generating the log; values are
crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe,
ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn

Generated Time
(time_generated)

Time the log was generated on the dataplane

Virtual System (vsys)

Virtual System associated with the configuration log

Event ID (eventid)

String showing the name of the event

Object (object)

Name of the object associated with the system event

Module (module)

This field is valid only when the value of the Subtype field is general. It provides additional
information about the sub-system generating the log; values are general, management,
auth, ha, upgrade, chassis

Severity (severity)

Severity associated with the event; values are informational, low, medium, high, critical

Description (opaque)

Detailed description of the event, up to a maximum of 512 bytes

Sequence Number (seqno)

A 64-bit log entry identifier incremented sequentially; each log type has a unique number
space. This field is not supported on PA-7000 Series firewalls.

Action Flags (actionflags)

A bit field indicating if the log was forwarded to Panorama

Device Group Hierarchy


(dg_hier_level_1 to
dg_hier_level_4)

A sequence of identification numbers that indicate the device groups location within a
device group hierarchy. The firewall (or virtual system) generating the log includes the
identification number of each ancestor in its device group hierarchy. The shared device
group (level 0) is not included in this structure.

New in v7.0!

If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual
system) that belongs to device group 45, and its ancestors are 34, and 12. To view the
device group names that correspond to the value 12, 34 or 45, use one of the following
methods:
CLI command in configure mode: show readonly dg-meta-data
API query:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></sh
ow>

320 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Use Syslog for Monitoring

Field Name

Description

Virtual System Name


(vsys_name)

The name of the virtual system associated with the session; only valid on firewalls enabled
for multiple virtual systems.

New in v7.0!

Device Name
(device_name)

The hostname of the firewall on which the session was logged.

New in v7.0!

Syslog Severity
The syslog severity is set based on the log type and contents.
Log Type/Severity

Syslog Severity

Traffic

Info

Config

Info

Threat/SystemInformational

Info

Threat/SystemLow

Notice

Threat/SystemMedium

Warning

Threat/SystemHigh

Error

Threat/SystemCritical

Critical

Custom Log/Event Format


To facilitate the integration with external log parsing systems, the firewall allows you to customize the log
format; it also allows you to add custom Key: Value attribute pairs. Custom message formats can be configured
under Device > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format.
To achieve ArcSight Common Event Format (CEF) compliant log formatting, refer to the CEF Configuration
Guide.

Escape Sequences
Any field that contains a comma or a double-quote is enclosed in double quotes. Furthermore, if a double-quote
appears inside a field it is escaped by preceding it with another double-quote. To maintain backward
compatibility, the Misc field in threat log is always enclosed in double-quotes.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 321

SNMP Monitoring and Traps

Monitoring

SNMP Monitoring and Traps


The following topics describe how Palo Alto Networks devices implement Simple Network Management
Protocol (SNMP), and the procedures to configure SNMP monitoring and trap delivery.

SNMP for Palo Alto Networks Devices

Use an SNMP Manager to Explore MIBs and Objects

Enable SNMP Services for Firewall-Secured Network Elements

Monitor Device Statistics Using SNMP

Forward Traps to an SNMP Manager

Supported MIBs

322 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

SNMP Monitoring and Traps

SNMP for Palo Alto Networks Devices


You can use a Simple Network Management Protocol (SNMP) manager to monitor event-driven alerts and
operational statistics for Palo Alto Networks devices and the traffic that those devices secure. The statistics and
traps can help you identify resource limitations, system changes or failures, and malware attacks. You configure
devices to send the alerts by forwarding log data as traps, and enable devices to send statistics in response to
GET messages (requests) from your SNMP manager. Each trap and statistic has an object identifier (OID).
Related OIDs are organized hierarchically within the Management Information Bases (MIBs) that you load into
the SNMP manager to enable monitoring.
Palo Alto Networks devices support SNMP Version 2c and Version 3. Decide which to use based on the version
that other devices in your network support and on your network security requirements. SNMPv3 is more secure
and enables more granular access control for device statistics than SNMPv2c. The following table summarizes
the security features of each version. You select the version and configure the security features when you
Monitor Device Statistics Using SNMP and Forward Traps to an SNMP Manager.
SNMP
Version

Device/User
Authentication

Message Privacy

Message MIB Access Granularity


Integrity

SNMPv2c Community string

No (cleartext)

No

SNMP community access for all MIBs on a


device

SNMPv3

Privacy password for Yes


AES 128 encryption
of SNMP messages

User access based on views that include or


exclude specific OIDs

EngineID, username, and


authentication password
(SHA hashing for the
password)

Figure: SNMP for Palo Alto Networks Devices illustrates a deployment in which firewalls forward traps to an
SNMP manager while also forwarding logs to Log Collectors. Alternatively, you could configure the Log
Collectors to forward the firewall traps to the SNMP manager. For details on these deployments, refer to Log
Forwarding Options. In all deployments, the SNMP manager gets statistics directly from the devices. In this
example, a single SNMP manager collects both traps and statistics, though you can use separate managers for
these functions if that better suits your network.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 323

SNMP Monitoring and Traps

Monitoring

Figure: SNMP for Palo Alto Networks Devices

324 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

SNMP Monitoring and Traps

Use an SNMP Manager to Explore MIBs and Objects


To use SNMP for monitoring Palo Alto Networks devices, you must first load the Supported MIBs into your
SNMP manager and determine which object identifiers (OIDs) correspond to the statistics and traps you want
to monitor. The following topics provide an overview of how to find OIDs and MIBs in an SNMP manager.
For the specific steps to perform these tasks, refer to your SNMP management software.

Identify a MIB Containing a Known OID

Walk a MIB

Identify the OID for a Palo Alto Networks Device Statistic or Trap

Identify a MIB Containing a Known OID


If you already know the OID for a particular SNMP object (device statistic or trap) and want to know the OIDs
of similar objects so you can monitor them, you can explore the MIB that contains the known OID.
Identify a MIB Containing a Known OID

Step 1

Load all the Supported MIBs into your SNMP manager.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 325

SNMP Monitoring and Traps

Monitoring

Identify a MIB Containing a Known OID (Continued)

Step 2

Search the entire MIB tree for the known OID. The search result displays the MIB path for the OID, as well as
information about the OID (for example, name, status, and description). You can then select other OIDs in the
same MIB to see information about them.

Step 3

Optionally, Walk a MIB to display all its objects.

Walk a MIB
If you want to see which SNMP objects (device statistics and traps) are available for monitoring, displaying all
the objects of a particular MIB can be useful. To do this, load the Supported MIBs into your SNMP manager
and perform a walk on the desired MIB. To list the traps that Palo Alto Networks devices support, walk the
panCommonEventEventsV2 MIB. In the following example, walking the PAN-COMMON-MIB.my displays
the following list of OIDs and their values for certain device statistics:

326 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

SNMP Monitoring and Traps

Identify the OID for a Palo Alto Networks Device Statistic or Trap
To use an SNMP manager for monitoring Palo Alto Networks devices, you must know the OIDs of the device
statistics and traps you want to monitor.
Identify the OID for a Palo Alto Networks Device Statistic or Trap

Step 1

Review the Supported MIBs to determine which one contains the type of statistic you want. For example, the
PAN-COMMON-MIB.my contains device version information. The panCommonEventEventsV2 MIB
contains all the traps that Palo Alto Networks devices support.

Step 2

Open the MIB in a text editor and perform a keyword search. For example, using Hardware
string in PAN-COMMON-MIB identifies the panSysHwVersion object:

version as a search

panSysHwVersion OBJECT-TYPE
SYNTAX
DisplayString (SIZE(0..128))
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Hardware version of the unit."
::= {panSys 2}

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 327

SNMP Monitoring and Traps

Monitoring

Identify the OID for a Palo Alto Networks Device Statistic or Trap (Continued)

Step 3

In a MIB browser, search the MIB tree for the identified object name to display its OID. For example, the
panSysHwVersion object has an OID o

Step 4
Step 5

1.3.6.1.4.1.25461.2.1.2.1.2.

328 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

SNMP Monitoring and Traps

Enable SNMP Services for Firewall-Secured Network Elements


If you will use Simple Network Management Protocol (SNMP) to monitor or manage network elements (for
example, switches and routers) that are within the security zones of Palo Alto Networks firewalls, you must
create a security rule that allows SNMP services for those elements.
You dont need a security rule to enable SNMP monitoring of Palo Alto Networks devices. For
details, see Monitor Device Statistics Using SNMP.

Enable SNMP Services for Firewall-Secured Network Elements

Step 1

Create an application group.

1.
2.
3.
4.

Step 2

Create a security rule to allow SNMP


services.

1.
2.
3.
4.

5.

Palo Alto Networks

Select Objects > Application Group and click Add.


Enter a Name to identify the application group.
Click Add, type snmp, and select snmp and snmp-trap from the
drop-down.
Click OK to save the application group.
Select Policies > Security and click Add.
In the General tab, enter a Name for the rule.
In the Source and Destination tabs, click Add and enter a
Source Zone and a Destination Zone for the traffic.
In the Applications tab, click Add, type the name of the
applications group you just created, and select it from the
drop-down.
In the Actions tab, verify that the Action is set to Allow, and
then click OK and Commit.

PAN-OS 7.0 Administrators Guide 329

SNMP Monitoring and Traps

Monitoring

Monitor Device Statistics Using SNMP


The statistics that a Simple Network Management Protocol (SNMP) manager collects from Palo Alto Networks
devices can help you gauge the health of your network (devices and connections), identify resource limitations,
and monitor traffic or processing loads. The statistics include information such as interface states (up or down),
active user sessions, concurrent sessions, session utilization, temperature, and system uptime.
You cant configure an SNMP manager to control Palo Alto Networks devices (using SET
messages), only to collect statistics from them (using GET messages).
For details on how SNMP is implemented for Palo Alto Networks devices, see SNMP for Palo Alto
Networks Devices.

Monitor Device Statistics Using SNMP

Step 1

Configure the SNMP Manager to get


statistics from devices.

330 PAN-OS 7.0 Administrators Guide

The following steps provide an overview of the tasks you perform


on the SNMP manager. For the specific steps, refer to the
documentation of your SNMP manager.
1. To enable the SNMP manager to interpret device statistics, load
the Supported MIBs for Palo Alto Networks devices and, if
necessary, compile them.
2. For each device that the SNMP manager will monitor, define
the connection settings (IP address and port) and
authentication settings (SNMPv2c community string or
SNMPv3 EngineID/username/password) for the device. Note
that all Palo Alto Networks devices use port 161.
The SNMP manager can use the same or different connection
and authentication settings for multiple devices. The settings
must match those you define when you configure SNMP on the
device (see Step 3). For example, if you use SNMPv2c, the
community string you define when configuring the device must
match the community string you define in the SNMP manager
for that device.
3. Determine the object identifiers (OIDs) of the statistics you
want to monitor. For example, to monitor the session utilization
percentage of a firewall, a MIB browser shows that this statistic
corresponds to OID 1.3.6.1.4.1.25461.2.1.2.3.1.0 in
PAN-COMMON-MIB.my. For details, see Use an SNMP
Manager to Explore MIBs and Objects.
4. Configure the SNMP manager to monitor the desired OIDs.

Palo Alto Networks

Monitoring

SNMP Monitoring and Traps

Monitor Device Statistics Using SNMP (Continued)

Step 2

Enable SNMP traffic on a device


interface.
This is the interface that will receive
statistics requests from the SNMP
manager.

Perform this step in the device web interface.


To enable SNMP traffic on the MGT interface:
1. Select Device > Setup > Management and edit the Management
Interface Settings.
2. In the Services section, select the SNMP check box.

3. Click OK and Commit.


PAN-OS doesnt synchronize
management (MGT) interface
To enable SNMP traffic on any other interface:
settings for devices in a high
1. Create an interface management profile for SNMP services:
availability (HA) configuration.
a. Select Network > Network Profiles > Interface Mgmt and
You must configure the interface
click Add.
for each HA peer.
b. Enter a Name for the profile, then select the check boxes for
SNMP and any other services the interface must support.
c. Click OK to save the profile.
2.

Assign the profile to the interface that will receive the SNMP
requests:
a. Select Network > Interfaces and Add or edit the interface
that will receive the SNMP requests. The interface type must
be Layer 3 Ethernet.
b. Select Advanced > Other Info and select the Management
Profile you just created.
c. Click OK and Commit.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 331

SNMP Monitoring and Traps

Monitoring

Monitor Device Statistics Using SNMP (Continued)

Step 3

Configure the device to respond to


statistics requests from an SNMP
manager.

1.
2.

PAN-OS doesnt synchronize


SNMP response settings for
devices in a high availability (HA)
configuration. You must
configure these settings for each
HA peer.

Select Device > Setup > Operations and, in the Miscellaneous


section, click SNMP Setup.
Select the SNMP Version and configure the authentication
values as follows. For version details, see SNMP for Palo Alto
Networks Devices.
V2cEnter the SNMP Community String, which identifies
a community of SNMP managers and monitored devices,
and serves as a password to authenticate the community
members to each other.
As a best practice, dont use the default community
string public; its well known and therefore not
secure.
V3Create at least one SNMP view group and one user.
User accounts and views provide authentication, privacy, and
access control when devices forward traps and SNMP
managers get device statistics.
ViewsEach view is a paired OID and bitwise mask: the
OID specifies a MIB and the mask (in hexadecimal
format) specifies which objects are accessible within
(include matching) or outside (exclude matching) that MIB.
Click Add in the first list and enter a Name for the group
of views. For each view in the group, click Add and
configure the view Name, OID, matching Option (include
or exclude), and Mask.
Users: Click Add in the second list, enter a username
under Users, select the View group from the drop-down,
enter the authentication password (Auth Password) used
to authenticate to the SNMP manager, and enter the
privacy password (Priv Password) used to encrypt SNMP
messages to the SNMP manager.

3.
Step 4

Click OK and Commit.

Monitor the firewall statistics in an SNMP Refer to the documentation of your SNMP manager.
manager.
When monitoring statistics related to firewall interfaces, you
must match the interface indexes in the SNMP manager with
interface names in the firewall web interface. For details, see
Firewall Interface Identifiers in SNMP Managers and
NetFlow Collectors.

332 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

SNMP Monitoring and Traps

Forward Traps to an SNMP Manager


Simple Network Management Protocol (SNMP) traps can alert you to system events (failures or changes in
hardware or software of Palo Alto Networks devices) or to threats (traffic that matches a firewall security rule)
that require immediate attention.
To see the list of traps that Palo Alto Networks devices support, use your SNMP Manager to
access the panCommonEventEventsV2 MIB. For details, see Use an SNMP Manager to Explore
MIBs and Objects.
For details on how for Palo Alto Networks devices implement SNMP, see SNMP for Palo Alto
Networks Devices.

Forward Firewall Traps to an SNMP Manager

Step 1

Enable the SNMP manager to interpret


the traps it receives.

Step 2

Configure an SNMP Trap server profile. 1.


2.
The profile defines how the device
3.
accesses the SNMP managers (trap
servers). You can define up to four SNMP 4.
managers for each profile.
Optionally, you can configure
separate SNMP Trap server
profiles for different log types,
severity levels, and WildFire
verdicts.

Load the Supported MIBs for Palo Alto Networks devices and, if
necessary, compile them. For the specific steps, refer to the
documentation of your SNMP manager.

5.

Log in to the web interface of the Palo Alto Networks device.


Select Device > Server Profiles > SNMP Trap.
Click Add and enter a Name for the profile.
If the firewall has more than one virtual system (vsys), select the
Location (vsys or Shared) where this profile is available.
Select the SNMP Version and configure the authentication
values as follows. For version details, see SNMP for Palo Alto
Networks Devices.
V2cFor each server, click Add and enter the server Name,
IP address (SNMP Manager), and Community String. The
community string identifies a community of SNMP
managers and monitored devices, and serves as a password
to authenticate the community members to each other.
As a best practice, dont use the default community
string public; its well known and therefore not
secure.
V3For each server, click Add and enter the server Name,
IP address (SNMP Manager), SNMP User account (this
must match a username defined in the SNMP manager),
EngineID used to uniquely identify the device (you can leave
the field blank to use the device serial number),
authentication password (Auth Password) used to
authenticate to the server, and privacy password (Priv
Password) used to encrypt SNMP messages to the server.

6.

Palo Alto Networks

Click OK to save the server profile.

PAN-OS 7.0 Administrators Guide 333

SNMP Monitoring and Traps

Monitoring

Forward Firewall Traps to an SNMP Manager (Continued)

Step 3

Configure log forwarding.

1.

Configure the destinations of Traffic, Threat, and WildFire


traps:
a. Create a log forwarding profile. For each log type and each
severity level or WildFire verdict, select the SNMP Trap
server profile.
b. Assign the log forwarding profile to security rules. The rules
will trigger trap generation and forwarding.

2.

3.
Step 4

Configure the destinations of System, Config, HIP Match, and


Correlation logs. For each log (trap) type and severity level,
select the SNMP Trap server profile.
Click Commit.

Monitor the traps in an SNMP manager. Refer to the documentation of your SNMP manager.
When monitoring traps related to firewall interfaces, you
must match the interface indexes in the SNMP manager with
interface names in the firewall web interface. For details, see
Firewall Interface Identifiers in SNMP Managers and
NetFlow Collectors.

334 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

SNMP Monitoring and Traps

Supported MIBs
The following table lists the Simple Network Management Protocol (SNMP) management information bases
(MIBs) that Palo Alto Networks devices support. You must load these MIBs into your SNMP manager to
monitor the objects (device statistics and traps) that are defined in the MIBs. For details, see Use an SNMP
Manager to Explore MIBs and Objects.
MIB Type

Supported MIBs

StandardThe Internet Engineering Task Force (IETF)


maintains most standard MIBs. You can download the
MIBs from the IETF website.

MIB-II

Palo Alto Networks devices dont support every


object (OID) in every one of these MIBs. See the
Supported MIBs links for an overview of the
supported OIDs.

IF-MIB
HOST-RESOURCES-MIB
ENTITY-MIB
ENTITY-SENSOR-MIB
ENTITY-STATE-MIB
IEEE 802.3 LAG MIB
LLDP-V2-MIB.my

EnterpriseYou can download the enterprise MIBs from PAN-COMMON-MIB.my


the Palo Alto Networks Technical Documentation site.
PAN-GLOBAL-REG-MIB.my
PAN-GLOBAL-TC-MIB.my
PAN-LC-MIB.my
PAN-PRODUCT-MIB.my
PAN-ENTITY-EXT-MIB.my
PAN-TRAPS.my

MIB-II
MIB-II provides object identifiers (OIDs) for network management protocols in TCP/IP-based networks. Use
this MIB to monitor general information about devices and interfaces. For example, you can analyze trends in
bandwidth usage by interface type (ifType object) to determine if the firewall needs more interfaces of that type
to accommodate spikes in traffic volume.
Palo Alto Networks devices support only the following object groups:
Object Group

Description

system

Provides device information such as the hardware model, system uptime, FQDN, and
physical location.

interfaces

Provides statistics for physical and logical interfaces such as type, current bandwidth
(speed), operational status (for example, up or down), and discarded packets. Logical
interface support includes VPN tunnels, aggregate groups, Layer 2 subinterfaces, Layer 3
subinterfaces, loopback interfaces, and VLAN interfaces.

RFC 1213 defines this MIB.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 335

SNMP Monitoring and Traps

Monitoring

IF-MIB
IF-MIB supports interface types (physical and logical) and larger counters (64K) beyond those defined in
MIB-II. Use this MIB to monitor interface statistics in addition to those that MIB-II provides. For example, to
monitor the current bandwidth of high-speed interfaces (greater than 2.2Gps) such as the 10G interfaces of the
PA-5000 Series firewalls, you must check the ifHighSpeed object in IF-MIB instead of the ifSpeed object in
MIB-II. IF-MIB statistics can be useful when evaluating the capacity of your network.
Palo Alto Networks devices support only the ifXTable in IF-MIB, which provides interface information such
as the number of multicast and broadcast packets transmitted and received, whether an interface is in
promiscuous mode, and whether an interface has a physical connector.
RFC 2863 defines this MIB.

HOST-RESOURCES-MIB
HOST-RESOURCES-MIB provides information for host computer resources. Use this MIB to monitor CPU
and memory usage statistics for devices. For example, checking the current CPU load (hrProcessorLoad object)
can help you troubleshoot performance issues on the firewall.
Palo Alto Networks devices support portions of the following object groups:
Object Group

Description

hrDevice

Provides information such as CPU load, storage capacity, and partition size. The
hrProcessorLoad OIDs provide an average of the cores that process packets. For the
PA-5060 firewall, which has multiple dataplanes (DPs), the average is of the cores across all
the three DPs that process packets.

hrSystem

Provides information such as device uptime, number of current user sessions, and number
of current processes.

hrStorage

Provides information such as the amount of used storage.

RFC 2790 defines this MIB.

ENTITY-MIB
ENTITY-MIB provides OIDs for multiple logical and physical components. Use this MIB to determine what
physical components are loaded on a device (for example, fans and temperature sensors) and see related
information such as models and serial numbers. You can also use the index numbers for these components to
determine their operational status in the ENTITY-SENSOR-MIB and ENTITY-STATE-MIB.
Palo Alto Networks devices support only portions of the entPhysicalTable group:
Object

Description

entPhysicalIndex

A single namespace that includes disk slots and disk drives.

entPhysicalDescr

The component description.

336 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

SNMP Monitoring and Traps

Object

Description

entPhysicalVendorType

The sysObjectID (see PAN-PRODUCT-MIB.my) when it is available (chassis and module


objects).

entPhysicalContainedIn

The value of entPhysicalIndex for the component that contains this component.

entPhysicalClass

Chassis (3), container (5) for a slot, power supply (6), fan (7), sensor (8) for each temperature
or other environmental, and module (9) for each line card.

entPhysicalParentRelPos

The relative position of this child component among its sibling components. Sibling
components are defined as entPhysicalEntry components that share the same instance
values of each of the entPhysicalContainedIn and entPhysicalClass objects.

entPhysicalName

Supported only if the management (MGT) interface allows for naming the line card.

entPhysicalHardwareRev

The vendor-specific hardware revision of the component.

entPhysicalFirwareRev

The vendor-specific firmware revision of the component.

entPhysicalSoftwareRev

The vendor-specific software revision of the component.

entPhysicalSerialNum

The vendor-specific serial number of the component.

entPhysicalMfgName

The name of the manufacturer of the component.

entPhysicalMfgDate

The date when the component was manufactured.

entPhysicalModelName

The disk model number.

entPhysicalAlias

An alias that the network manager specified for the component.

entPhysicalAssetID

A user-assigned asset tracking identifier that the network manager specified for the
component.

entPhysicalIsFRU

Indicates whether the component is a field replaceable unit (FRU).

entPhysicalUris

The Common Language Equipment Identifier (CLEI) number of the component (for
example, URN:CLEI:CNME120ARA).

RFC 4133 defines this MIB.

ENTITY-SENSOR-MIB
ENTITY-SENSOR-MIB adds support for physical sensors of networking equipment beyond what
ENTITY-MIB defines. Use this MIB in tandem with the ENTITY-MIB to monitor the operational status of
the physical components of a device (for example, fans and temperature sensors). For example, to troubleshoot
issues that might result from environmental conditions, you can map the entity indexes from the ENTITY-MIB
(entPhysicalDescr object) to operational status values (entPhysSensorOperStatus object) in the
ENTITY-SENSOR-MIB. In the following example, all the fans and temperature sensors for a PA-3020 firewall
are working:

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 337

SNMP Monitoring and Traps

Monitoring

The same OID might refer to different sensors on different device platforms. Use the ENTITY-MIB
for the targeted platform to match the value to the description.

Palo Alto Networks devices support only portions of the entPhySensorTable group. The supported portions
vary by platform. The devices support only thermal (temperature in Celsius) and fan (in RPM) sensors.
RFC 3433 defines the ENTITY-SENSOR-MIB.

ENTITY-STATE-MIB
ENTITY-STATE-MIB provides information about the state of physical components beyond what
ENTITY-MIB defines, including the administrative and operational state of components in chassis-based
platforms. Use this MIB in tandem with the ENTITY-MIB to monitor the operational state of the components
of a PA-7000 Series firewall (for example, line cards, fan trays, and power supplies). For example, to troubleshoot
log forwarding issues for Threat logs, you can map the log processing card (LPC) indexes from the
ENTITY-MIB (entPhysicalDescr object) to operational state values (entStateOper object) in the
ENTITY-STATE-MIB. The operational state values use numbers to indicate state: 1 for unknown, 2 for
disabled, 3 for enabled, and 4 for testing. The PA-7000 Series firewall is the only Palo Alto Networks device that
supports this MIB.
RFC 4268 defines the ENTITY-STATE-MIB.

IEEE 802.3 LAG MIB


Use the IEEE 802.3 LAG MIB to monitor the status of aggregate groups that have Link Aggregation Control
Protocol (LACP) enabled. When the firewall logs LACP events, it also generates traps that are useful for
troubleshooting. For example, the traps can tell you whether traffic interruptions between the firewall and an
LACP peer resulted from lost connectivity or from mismatched interface speed and duplex values.
PAN-OS implements the following SNMP tables for LACP. Note that the dot3adTablesLastChanged object
indicates the time of the most recent change to dot3adAggTable, dot3adAggPortListTable, and
dot3adAggPortTable.

338 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

SNMP Monitoring and Traps

Table

Description

Aggregator Configuration
Table (dot3adAggTable)

This table contains information about every aggregate group that is associated with a
firewall. Each aggregate group has one entry.
Some table objects have restrictions, which the dot3adAggIndex object describes. This
index is the unique identifier that the local system assigns to the aggregate group. It
identifies an aggregate group instance among the subordinate managed objects of the
containing object. The identifier is read-only.
The ifTable MIB (a list of interface entries) does not support logical interfaces and
therefore does not have an entry for the aggregate group.

Aggregation Port List Table


(dot3adAggPortListTable)

This table lists the ports associated with each aggregate group in a firewall. Each aggregate
group has one entry.
The dot3adAggPortListPorts attribute lists the complete set of ports associated with an
aggregate group. Each bit set in the list represents a port member. For non-chassis
platforms, this is a 64-bit value. For chassis platforms, the value is an array of eight 64-bit
entries.

Aggregation Port Table


(dot3adAggPortTable)

This table contains LACP configuration information about every port associated with an
aggregate group in a firewall. Each port has one entry. The table has no entries for ports
that are not associated with an aggregate group.

LACP Statistics Table


(dot3adAggPortStatsTable)

This table contains link aggregation information about every port associated with an
aggregate group in a firewall. Each port has one row. The table has no entries for ports that
are not associated with an aggregate group.

The IEEE 802.3 LAG MIB includes the following LACP-related traps:
Trap Name

Description

panLACPLostConnectivityTrap The peer lost connectivity to the firewall.


panLACPUnresponsiveTrap

The peer does not respond to the firewall.

panLACPNegoFailTrap

LACP negotiation with the peer failed.

panLACPSpeedDuplexTrap

The link speed and duplex settings on the firewall and peer do not match.

panLACPLinkDownTrap

An interface in the aggregate group is down.

panLACPLacpDownTrap

An interface was removed from the aggregate group.

panLACPLacpUpTrap

An interface was added to the aggregate group.

For the MIB definitions, refer to IEEE 802.3 LAG MIB.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 339

SNMP Monitoring and Traps

Monitoring

LLDP-V2-MIB.my
Use the LLDP-V2-MIB to monitor Link Layer Discovery Protocol (LLDP) events. For example, you can check
the lldpV2StatsRxPortFramesDiscardedTotal object to see the number of LLDP frames that were discarded for
any reason. The Palo Alto Networks firewall uses LLDP to discover neighboring devices and their capabilities.
LLDP makes troubleshooting easier, especially for virtual wire deployments where the ping or traceroute
utilities wont detect the firewall.
Palo Alto Networks devices support all the LLDP-V2-MIB objects except:

The following lldpV2Statistics objects:

lldpV2StatsRemTablesLastChangeTime

lldpV2StatsRemTablesInserts

lldpV2StatsRemTablesDeletes

lldpV2StatsRemTablesDrops

lldpV2StatsRemTablesAgeouts

The following lldpV2RemoteSystemsData objects:

The lldpV2RemOrgDefInfoTable table

In the lldpV2RemTable table: lldpV2RemTimeMark

RFC 4957 defines this MIB.

PAN-COMMON-MIB.my
Use the PAN-COMMON-MIB to monitor the following information for Palo Alto Networks devices:
Object Group

Description

panSys

Contains such objects as device software/hardware versions, dynamic content versions,


serial number, HA mode/state, and global counters.
The global counters include those related to Denial of Service (DoS), IP fragmentation,
TCP state, and dropped packets. Tracking these counters enables you to monitor traffic
irregularities that result from DoS attacks, device or connection faults, or resource
limitations. PAN-COMMON-MIB supports global counters for firewalls but not for
Panorama.

panChassis

Chassis type and M-Series appliance mode (Panorama or Log Collector).

panSession

Session utilization information. For example, the total number of active sessions on the
firewall or a specific virtual system.

panMgmt

Status of the connection from the firewall to the Panorama management server.

panGlobalProtect

GlobalProtect gateway utilization as a percentage, maximum tunnels allowed, and number


of active tunnels.

340 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

SNMP Monitoring and Traps

Object Group

Description

panLogCollector

Log Collector information such as the logging rate, log database storage duration (in days),
and RAID disk usage.

PAN-GLOBAL-REG-MIB.my
PAN-GLOBAL-REG-MIB.my contains global, top-level OID definitions for various sub-trees of Palo Alto
Networks enterprise MIB modules. This MIB doesnt contain objects for you to monitor; it is required only for
referencing by other MIBs.

PAN-GLOBAL-TC-MIB.my
PAN-GLOBAL-TC-MIB.my defines conventions (for example, character length and allowed characters) for the
text values of objects in Palo Alto Networks enterprise MIB modules. All Palo Alto Networks products use
these conventions. This MIB doesnt contain objects for you to monitor; it is required only for referencing by
other MIBs.

PAN-LC-MIB.my
PAN-LC-MIB.my contains definitions of managed objects that Log Collectors (M-Series appliances in Log
Collector mode) implement. Use this MIB to monitor the logging rate, log database storage duration (in days),
and disk usage (in MB) of each logical disk (up to four) on a Log Collector. For example, you can use this
information to determine whether you should add more Log Collectors or forward logs to an external server
(for example, a syslog server) for archiving.

PAN-PRODUCT-MIB.my
PAN-PRODUCT-MIB.my defines sysObjectID OIDs for all Palo Alto Networks products. This MIB doesnt
contain objects for you to monitor; it is required only for referencing by other MIBs.

PAN-ENTITY-EXT-MIB.my
Use PAN-ENTITY-EXT-MIB.my in tandem with the ENTITY-MIB to monitor power usage for the physical
components of a PA-7000 Series firewall (for example, fan trays, and power supplies), which is the only Palo
Alto Networks device that supports this MIB. For example, when troubleshooting log forwarding issues, you
might want to check the power usage of the log processing cards (LPCs): you can map the LPC indexes from
the ENTITY-MIB (entPhysicalDescr object) to values in the PAN-ENTITY-EXT-MIB
(panEntryFRUModelPowerUsed object).

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 341

SNMP Monitoring and Traps

Monitoring

PAN-TRAPS.my
Use PAN-TRAPS.my to see a complete listing of all the generated traps and information about them (for
example, a description). For a list of traps that Palo Alto Networks devices support, refer to the
PAN-COMMON-MIB.my > panCommonEvents > panCommonEventsEvents > panCommonEventEventsV2 object.

342 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

NetFlow Monitoring

NetFlow Monitoring
NetFlow is an industry-standard protocol that the firewall can use to export statistics about the IP traffic that
traverses its interfaces. The firewall exports the statistics as NetFlow fields to a NetFlow collector. The NetFlow
collector is a server you use to analyze network traffic for security, administration, accounting and
troubleshooting. All Palo Alto Networks firewalls support NetFlow (Version 9) except the PA-4000 Series and
PA-7000 Series firewalls. The firewalls support only unidirectional NetFlow, not bidirectional. You can enable
NetFlow exports on all interface types except HA, log card, or decrypt mirror. To identify firewall interfaces in
a NetFlow collector, see Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors. The firewall
supports standard and enterprise (PAN-OS specific) NetFlow templates.

Configure NetFlow Exports

NetFlow Templates

Configure NetFlow Exports


Configure NetFlow Exports

Step 1

Create a NetFlow server profile.

1.
2.
3.

7.

Select Device > Server Profiles > NetFlow and click Add.
Enter a Name for the profile.
Specify the frequency at which the firewall refreshes NetFlow
Templates in Minutes (default is 30) or Packets (default is 20),
according to the requirements of your NetFlow collector.
For the Active Timeout, specify the frequency in minutes at
which the firewall exports records (default is 5).
Select the PAN-OS Field Types check box if you want the
firewall to export App-ID and User-ID fields.
For each NetFlow collector (up to two per profile) that will
receive fields, click Add and enter an identifying server Name,
hostname or IP address (NetFlow Server), and access Port
(default is 2055).
Click OK to save the profile.

Step 2

Assign the NetFlow server profile to the 1.


interfaces that carry the traffic you want
to analyze.
2.
In this example, you assign the profile to
3.
an existing Ethernet interface.

Select Network > Interfaces > Ethernet and click an interface


name to edit it.
In the NetFlow Profile drop-down, select the NetFlow server
profile and click OK.
Click Commit.

Step 3

Monitor the firewall traffic in a NetFlow Refer to the documentation for your NetFlow collector.
collector.
When monitoring statistics, you must match the interface
indexes in the NetFlow collector with interface names in the
firewall web interface. For details, see Firewall Interface
Identifiers in SNMP Managers and NetFlow Collectors.

4.
5.
6.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 343

NetFlow Monitoring

Monitoring

NetFlow Templates
NetFlow collectors use templates to decipher the fields that the firewall exports. The firewall selects a template
based on the type of exported data: IPv4 or IPv6 traffic, with or without NAT, and with standard or
enterprise-specific (PAN-OS specific) fields. The firewall periodically refreshes templates to re-evaluate which
one to use (in case the type of exported data changes) and to apply any changes to the fields in the selected
template. When you Configure NetFlow Exports, you set the refresh frequency according to the requirements
of your NetFlow collector.
The Palo Alto Networks firewall supports the following NetFlow templates:
Template

ID

IPv4 Standard

256

IPv4 Enterprise

257

IPv6 Standard

258

IPv6 Enterprise

259

IPv4 with NAT Standard

260

IPv4 with NAT Enterprise 261


IPv6 with NAT Standard

262

IPv6 with NAT Enterprise 263

The following table lists the NetFlow fields that the firewall can send, along with the templates that define them:
Value Field

Description

Templates

IN_BYTES

Incoming counter with length N * 8 bits for All templates


the number of bytes associated with an IP
flow. By default, N is 4.

IN_PKTS

Incoming counter with length N * 8 bits for All templates


the number of packets associated with an IP
glow. By default, N is 4.

PROTOCOL

IP protocol byte.

All templates

TOS

Type of Service byte setting when entering


the ingress interface.

All templates

TCP_FLAGS

Total of all the TCP flags in this flow.

All templates

L4_SRC_PORT

TCP/UDP source port number (for example, All templates


FTP, Telnet, or equivalent).

IPV4_SRC_ADDR

IPv4 source address.

IPv4 standard
IPv4 enterprise
IPv4 with NAT standard
IPv4 with NAT enterprise

344 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

NetFlow Monitoring

Value Field

Description

Templates

10

INPUT_SNMP

Input interface index. The value length is 2 All templates


bytes by default, but higher values are
possible. For details on how Palo Alto
Networks firewalls generate interface indexes,
see Firewall Interface Identifiers in SNMP
Managers and NetFlow Collectors.

11

L4_DST_PORT

TCP/UDP destination port number (for


example, FTP, Telnet, or equivalent).

All templates

12

IPV4_DST_ADDR

IPv4 destination address.

IPv4 standard
IPv4 enterprise
IPv4 with NAT standard
IPv4 with NAT enterprise

14

OUTPUT_SNMP

Output interface index. The value length is 2 All templates


bytes by default, but higher values are
possible. For details on how Palo Alto
Networks firewalls generate interface indexes,
see Firewall Interface Identifiers in SNMP
Managers and NetFlow Collectors.

21

LAST_SWITCHED

System uptime in milliseconds when the last All templates


packet of this flow was switched.

22

FIRST_SWITCHED

System uptime in milliseconds when the first All templates


packet of this flow was switched.

27

IPV6_SRC_ADDR

IPv6 source address.

IPv6 standard
IPv6 enterprise
IPv6 with NAT standard
IPv6 with NAT enterprise

28

IPV6_DST_ADDR

IPv6 destination address.

IPv6 standard
IPv6 enterprise
IPv6 with NAT standard
IPv6 with NAT enterprise

32

ICMP_TYPE

Internet Control Message Protocol (ICMP)


packet type. This is reported as:

All templates

ICMP Type * 256 + ICMP code


61

DIRECTION

Flow direction:
0 = ingress

All templates

1 = egress

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 345

NetFlow Monitoring

Monitoring

Value Field

Description

Templates

148

flowId

An identifier of a flow that is unique within an All templates


observation domain. You can use this
information element to distinguish between
different flows if flow keys such as IP
addresses and port numbers are not reported
or are reported in separate records.

233

firewallEvent

Indicates a firewall event:


0 = Ignore (invalid)

All templates

1 = Flow created
2 = Flow deleted
3 = Flow denied
4 = Flow alert
5 = Flow update
225

postNATSourceIPv4Address

The definition of this information element is IPv4 with NAT standard


identical to that of sourceIPv4Address,
IPv4 with NAT enterprise
except that it reports a modified value that the
firewall produced during network address
translation after the packet traversed the
interface.

226

postNATDestinationIPv4Address

The definition of this information element is IPv4 with NAT standard


identical to that of destinationIPv4Address, IPv4 with NAT enterprise
except that it reports a modified value that the
firewall produced during network address
translation after the packet traversed the
interface.

227

postNAPTSourceTransportPort

The definition of this information element is IPv4 with NAT standard


identical to that of sourceTransportPort,
IPv4 with NAT enterprise
except that it reports a modified value that the
firewall produced during network address
port translation after the packet traversed the
interface.

228

postNAPTDestinationTransportPort The definition of this information element is IPv4 with NAT standard
identical to that of destinationTransportPort, IPv4 with NAT enterprise
except that it reports a modified value that the
firewall produced during network address
port translation after the packet traversed the
interface.

346 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

NetFlow Monitoring

Value Field

Description

Templates

281

postNATSourceIPv6Address

The definition of this information element is IPv6 with NAT standard


identical to the definition of information
IPv6 with NAT enterprise
element sourceIPv6Address, except that it
reports a modified value that the firewall
produced during NAT64 network address
translation after the packet traversed the
interface. See RFC 2460 for the definition of
the source address field in the IPv6 header.
See RFC 6146 for NAT64 specification.

282

postNATDestinationIPv6Address

The definition of this information element is IPv6 with NAT standard


identical to the definition of information
IPv6 with NAT enterprise
element destinationIPv6Address, except that
it reports a modified value that the firewall
produced during NAT64 network address
translation after the packet traversed the
interface. See RFC 2460 for the definition of
the destination address field in the IPv6
header. See RFC 6146 for NAT64
specification.

346

privateEnterpriseNumber

This is a unique private enterprise number


that identifies Palo Alto Networks: 25461.

IPv4 enterprise
IPv4 with NAT enterprise
IPv6 enterprise
IPv6 with NAT enterprise

56701 App-ID

The name of an application that App-ID


identified. The name can be up to 32 bytes.

IPv4 enterprise
IPv4 with NAT enterprise
IPv6 enterprise
IPv6 with NAT enterprise

56702 User-ID

A username that User-ID identified. The


name can be up to 64 bytes.

IPv4 enterprise
IPv4 with NAT enterprise
IPv6 enterprise
IPv6 with NAT enterprise

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 347

Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors

Monitoring

Firewall Interface Identifiers in SNMP Managers and


NetFlow Collectors
When you use a NetFlow collector (see NetFlow Monitoring) or SNMP manager (see SNMP Monitoring and
Traps) to monitor the Palo Alto Networks firewall, an interface index (SNMP ifindex object) identifies the
interface that carried a particular flow (see Figure: Interface Indexes in an SNMP Manager). In contrast, the
firewall web interface uses interface names as identifiers (for example, ethernet1/1), not indexes. To understand
which statistics that you see in a NetFlow collector or SNMP manager apply to which firewall interface, you
must be able to match the interface indexes with interface names.
Figure: Interface Indexes in an SNMP Manager

You can match the indexes with names by understanding the formulas that the firewall uses to calculate indexes.
The formulas vary by platform and interface type: physical or logical.
Physical interface indexes have a range of 1-9999, which the firewall calculates as follows:
Firewall Platform

Calculation

Example Interface Index

Non-chassis based:

MGT port + physical port offset


MGT portThis is a constant that
depends on the platform:

PA-5000 Series firewall, Eth1/4 =

VM-Series, PA-200, PA-500,


PA-2000 Series, PA-3000 Series,
PA-4000 Series, PA-5000 Series
The PA-4000 Series
platform supports SNMP
but not NetFlow.

2 (MGT port) + 4 (physical port) = 6

2 for hardware-based firewalls (for


example, the PA-5000 Series firewall)
1 for the VM-Series firewall
Physical port offsetThis is the physical
port number.

348 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

Monitoring

Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors

Firewall Platform

Calculation

Chassis based:

(Max. ports * slot) + physical port offset + PA-7000 Series firewall, Eth3/9 =
MGT port
[64 (max. ports) * 3 (slot)] + 9 (physical
Maximum portsThis is a constant of port) + 5 (MGT port) = 206
64.

PA-7000 Series firewalls


This platform supports
SNMP but not NetFlow.

Example Interface Index

SlotThis is the chassis slot number of


the network interface card.
Physical port offsetThis is the physical
port number.
MGT portThis is a constant of 5 for
PA-7000 Series firewalls.

Logical interface indexes for all platforms are nine-digit numbers that the firewall calculates as follows:
Interface Type

Range

Digit 9 Digits 7-8

Digits 5-6

Digits 1-4

Example Interface Index

Type: 1 Interface
slot: 1-9
(01-09)

Interface
port: 1-9
(01-09)

Subinterface:
suffix 1-9999
(0001-9999)

Eth1/5.22 = 100000000 (type) +


100000 (slot) + 50000 (port) + 22
(suffix) = 101050022

Type: 1 Interface
slot: 1-9
(01-09)

Interface
port: 1-9
(01-09)

Subinterface:
suffix 1-9999
(0001-9999)

Eth2/3.6 = 100000000 (type) +


200000 (slot) + 30000 (port) + 6
(suffix) = 102030006

Vwire subinterface

101010001- Type: 1 Interface


199999999
slot: 1-9
(01-09)

Interface
port: 1-9
(01-09)

Subinterface:
suffix 1-9999
(0001-9999)

Eth4/2.312 = 100000000 (type)


+ 400000 (slot) + 20000 (port) +
312 (suffix) = 104020312

VLAN

200000001- Type: 2 00
200009999

00

VLAN suffix: VLAN.55 = 200000000 (type) +


1-9999
55 (suffix) = 200000055
(0001-9999)

Loopback

300000001- Type: 3 00
300009999

00

Loopback
Loopback.55 = 300000000 (type)
suffix: 1-9999 + 55 (suffix) = 300000055
(0001-9999)

Tunnel

400000001- Type: 4 00
400009999

00

Tunnel suffix: Tunnel.55 = 400000000 (type) +


1-9999
55 (suffix) = 400000055
(0001-9999)

Aggregate group

500010001- Type: 5 00
500089999

AE suffix: Subinterface:
1-8 (01-08) suffix 1-9999
(0001-9999)

Layer 3 subinterface 101010001-

199999999
Layer 2 subinterface 101010001-

199999999

Palo Alto Networks

AE5.99 = 500000000 (type) +


50000 (AE Suffix) + 99 (suffix) =
500050099

PAN-OS 7.0 Administrators Guide 349

Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors

350 PAN-OS 7.0 Administrators Guide

Monitoring

Palo Alto Networks

User-ID
The User Identification (User-ID) feature of the Palo Alto Networks next-generation firewall enables you to
create policies and perform reporting based on users and groups rather than individual IP addresses.

User-ID Overview

User-ID Concepts

Enable User-ID

Map Users to Groups

Map IP Addresses to Users

Configure a Firewall to Share User Mapping Data with Other Firewalls

Enable User- and Group-Based Policy

Enable Policy for Users with Multiple Accounts

Verify the User-ID Configuration

Deploy User-ID in a Large-Scale Network

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 351

User-ID Overview

User-ID

User-ID Overview
User-ID seamlessly integrates Palo Alto Networks firewalls with a range of enterprise directory and terminal
services offerings, enabling you to tie application activity and policy rules to users and groupsnot just IP
addresses. Furthermore, with User-ID enabled, the Application Command Center (ACC), App-Scope, reports,
and logs all include usernames in addition to user IP addresses.
Palo Alto Networks firewalls support monitoring of the following enterprise services:

Microsoft Active Directory

Lightweight Directory Access Protocol (LDAP)

Novell eDirectory

Citrix Metaframe Presentation Server or XenApp

Microsoft Terminal Services

For user- and group-based policies, the firewall requires a list of all available users and their corresponding group
mappings that you can select when defining your policies. The firewall collects Group Mapping information by
connecting directly to your LDAP directory server.
To enforce user- and group-based policies, the firewall must be able to map the IP addresses in the packets it
receives to usernames. User-ID provides many mechanisms to collect this User Mapping information. For
example, the User-ID agent monitors server logs for login events, probes clients, and listens for syslog messages
from authenticating services. To identify mappings for IP addresses that the agent didnt map, you can configure
the firewall to redirect HTTP requests to a Captive Portal login. You can tailor the user mapping mechanisms
to suit your environment, and even use different mechanisms at different sites.
User-ID does not work in environments where the source IP addresses of users are subject to
NAT translation before the firewall maps the IP addresses to usernames.

352 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

User-ID

User-ID Overview

Figure: User-ID

See User-ID Concepts for information on how User-ID works and Enable User-ID for instructions on setting
up User-ID.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 353

User-ID Concepts

User-ID

User-ID Concepts

Group Mapping

User Mapping

Group Mapping
To define policy rules based on user or group, first you create an LDAP server profile that defines how the
firewall connects and authenticates to your directory server. The firewall supports a variety of directory servers,
including Microsoft Active Directory (AD), Novell eDirectory, and Sun ONE Directory Server. The server
profile also defines how the firewall searches the directory to retrieve the list of groups and the corresponding
list of members. Next you create a group mapping configuration to Map Users to Groups. Then you can select
the users or groups when defining policy rules.

Defining policy rules based on group membership rather than on individual users simplifies administration
because you dont have to update the rules whenever new users are added to a group. For example, the following
security rules allow access to specific internal applications based on group membership:

When configuring group mapping, you can limit which groups will be available in policy rules. You can specify
groups that already exist in your directory service or define custom groups based on LDAP filters. Defining
custom groups can be quicker than creating new groups or changing existing ones on an LDAP server, and
doesnt require an LDAP administrator to intervene. User-ID maps all the LDAP directory users who match
the filter to the custom group. For example, you might want a security policy that allows contractors in the
Marketing Department to access social networking sites. If no Active Directory group exists for that
department, you can configure an LDAP filter that matches users for whom the LDAP attribute Department is
set to Marketing. Log queries and reports that are based on user groups will include custom groups.

354 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

User-ID

User-ID Concepts

User Mapping
Having the names of the users and groups is only one piece of the puzzle. The firewall also needs to know which
IP addresses map to which users so that security rules can be enforced appropriately. Figure: User-ID illustrates
the different methods that are used to identify users and groups on your network and shows how user mapping
and group mapping work together to enable user- and group-based security enforcement and visibility.
The following topics describe the different methods of user mapping:

Server Monitoring

Client Probing

Port Mapping

Syslog

Captive Portal

GlobalProtect

User-ID XML API

Server Monitoring
With server monitoring a User-ID agenteither a Windows-based agent running on a domain server in your
network, or the integrated PAN-OS User-ID agent running on the firewallmonitors the security event logs
for specified Microsoft Exchange Servers, domain controllers, or Novell eDirectory servers for login events. For
example, in an AD environment, you can configure the User-ID agent to monitor the security logs for Kerberos
ticket grants or renewals, Exchange server access (if configured), and file and print service connections. Note
that for these events to be recorded in the security log, the AD domain must be configured to log successful
account login events. In addition, because users can log in to any of the servers in the domain, you must set up
server monitoring for all servers to capture all user login events.
Because server monitoring requires very little overhead and because the majority of users can generally be
mapped using this method, it is recommended as the base user mapping method for most User-ID deployments.
See Configure User Mapping Using the Windows User-ID Agent or Configure User Mapping Using the
PAN-OS Integrated User-ID Agent for details.

Client Probing
In a Microsoft Windows environment, you can configure the User-ID agent to probe client systems using
Windows Management Instrumentation (WMI). The Windows-based User-ID agent can also perform
NetBIOS probing (not supported on the PAN-OS integrated User-ID agent). Probing is particularly useful in
environments with a high IP address turnover because changes will be reflected on the firewall more quickly,
enabling more accurate enforcement of user-based policies. However, if the correlation between IP addresses
and users is fairly static, you probably do not need to enable client probing. Because probing can generate a large
amount of network traffic (based on the total number of mapped IP addresses), the agent that will be initiating
the probes should be located as close as possible to the end clients.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 355

User-ID Concepts

User-ID

If probing is enabled, the agent will probe each learned IP address periodically (every 20 minutes by default, but
this is configurable) to verify that the same user is still logged in. In addition, when the firewall encounters an
IP address for which it has no user mapping, it will send the address to the agent for an immediate probe.
See Configure User Mapping Using the Windows User-ID Agent or Configure User Mapping Using the
PAN-OS Integrated User-ID Agent for details.

Port Mapping
In environments with multi-user systemssuch as Microsoft Terminal Server or Citrix environmentsmany
users share the same IP address. In this case, the user-to-IP address mapping process requires knowledge of the
source port of each client. To perform this type of mapping, you must install the Palo Alto Networks Terminal
Services Agent on the Windows/Citrix terminal server itself to intermediate the assignment of source ports to
the various user processes. For terminal servers that do not support the Terminal Services Agent, such as Linux
terminal servers, you can use the XML API to send user mapping information from login and logout events to
User-ID. See Configure User Mapping for Terminal Server Users for configuration details.

Syslog
In environments with existing network services that authenticate userssuch as wireless controllers, 802.1x
devices, Apple Open Directory servers, proxy servers, or other Network Access Control (NAC) mechanisms
the firewall User-ID agent (either the Windows agent or the PAN-OS integrated agent on the firewall) can listen
for authentication syslog messages from those services. Syslog filters, which are provided by a content update
(integrated User-ID agent only) or configured manually, allow the User-ID agent to parse and extract usernames
and IP addresses from authentication syslog events generated by the external service, and add the information
to the User-ID IP address-to-username mappings maintained by the firewall. See Configure User-ID to Receive
User Mappings from a Syslog Sender for configuration details.

356 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

User-ID

User-ID Concepts

Figure: User-ID Integration with Syslog

Captive Portal
If the firewall or the User-ID agent cant map an IP address to a usernamefor example, if the user isnt logged
in or uses an operating system such as Linux that your domain servers dont supportyou can configure
Captive Portal. Any web traffic (HTTP or HTTPS) that matches a Captive Portal policy rule requires user
authentication. You can base the authentication on a transparent browser-challenge (Kerberos Single Sign-On
(SSO) or NT LAN Manager (NTLM) authentication), web form (for RADIUS, TACACS+, LDAP, Kerberos,
or local database authentication), or client certificates. For details, see Map IP Addresses to Usernames Using
Captive Portal.

GlobalProtect
For mobile or roaming users, the GlobalProtect client provides the user mapping information to the firewall
directly. In this case, every GlobalProtect user has an agent or app running on the client that requires the user
to enter login credentials for VPN access to the firewall. This login information is then added to the User-ID
user mapping table on the firewall for visibility and user-based security policy enforcement. Because
GlobalProtect users must authenticate to gain access to the network, the IP address-to-username mapping is

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 357

User-ID Concepts

User-ID

explicitly known. This is the best solution in sensitive environments where you must be certain of who a user is
in order to allow access to an application or service. For more information on setting up GlobalProtect, refer
to the GlobalProtect Administrators Guide.

User-ID XML API


For other types of user access that cannot be mapped using any of the standard user mapping methods or
Captive Portalfor example, to add mappings of users connecting from a third-party VPN solution or users
connecting to a 802.1x enabled wireless networkyou can use the User-ID XML API to capture login events
and send them to the User-ID agent or directly to the firewall. See Send User Mappings to User-ID Using the
XML API for details.

358 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

User-ID

Enable User-ID

Enable User-ID
You must complete the following tasks to set up the firewall to user users and groups in policy enforcement,
logging, and reporting:

Map Users to Groups


Map IP Addresses to Users
Enable User- and Group-Based Policy
Verify the User-ID Configuration

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 359

Map Users to Groups

User-ID

Map Users to Groups


Use the following procedure to enable the firewall to connect to your LDAP directory and retrieve Group
Mapping information:
The following are best practices for group mapping in an Active Directory (AD) environment:
If you have a single domain, you need only one LDAP server profile that connects the firewall to the
domain controller with the best connectivity. You can add additional domain controllers for fault tolerance.
If you have multiple domains and/or multiple forests, you must create a server profile to connect to a
domain server in each domain/forest. Take steps to ensure unique usernames in separate forests.
If you have Universal Groups, create a server profile to connect to the Global Catalog server.

Map Users to Groups

Step 1

Add an LDAP server profile.

Configure an LDAP Server Profile:


1.
Select Device > Server Profiles > LDAP, click Add, and enter a
The profile defines how the firewall
Profile Name.
connects to the directory servers from
2. For each LDAP server, click Add and enter the server Name, IP
which it collects group mapping
address (LDAP Server), and Port (default is 389).
information. You can add up to four
servers to the profile but they must be the 3. Based on your Type selection (for example, active-directory),
same Type.
the firewall automatically populates the correct LDAP
attributes in the group mapping settings. However, if you
customized your LDAP schema, you might need to modify the
default settings.
4. In the Base DN field, enter the Distinguished Name (DN) of
the LDAP tree location where you want the firewall to begin its
search for user and group information.
5. Enter the authentication credentials for binding to the LDAP
tree in the Bind DN, Password, and Confirm Password fields.
The Bind DN can be a fully qualified LDAP name (for example,
cn=administrator,cn=users,dc=acme,dc=local) or a user
principal name (for example, administrator@acme.local).
6. Click OK to save the profile.

360 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

User-ID

Map Users to Groups

Map Users to Groups (Continued)

Step 2

Configure the server settings in a group


mapping configuration.

1.
2.
3.
4.
5.

6.

7.

8.

9.

Palo Alto Networks

Select Device > User Identification > Group Mapping Settings.


If the firewall has more than one virtual system (vsys), select a
Location (vsys or Shared) for this configuration.
Click Add and enter a unique Name to identify the group
mapping configuration.
Select the LDAP Server Profile you just created.
(Optional) By default, the User Domain field is blank: the
firewall automatically detects the domain names for Active
Directory (AD) servers. If you enter a value, it overrides any
domain names that the firewall retrieves from the LDAP
source. Your entry must be the NetBIOS domain name.
(Optional) To filter the groups that the firewall tracks for group
mapping, in the Group Objects section, enter a Search Filter
(LDAP query), Object Class (group definition), Group Name,
and Group Member.
(Optional) To filter the users that the firewall tracks for group
mapping, in the User Objects section, enter a Search Filter
(LDAP query), Object Class (user definition), and User Name.
(Optional) To match User-ID information with email header
information identified in the links and attachments of emails
forwarded to WildFire, enter the list of email domains in your
organization in the Mail Domains section, Domain List field.
Use commas to separate multiple domains (up to 256
characters). After you click OK, PAN-OS automatically
populates the Mail Attributes field based on your LDAP server
type (Sun/RFC, Active Directory, or Novell). When a match
occurs, the username in the WildFire log email header section
will contain a link that opens the ACC tab, filtered by user or
user group.
Make sure the Enabled check box is selected.

PAN-OS 7.0 Administrators Guide 361

Map Users to Groups

User-ID

Map Users to Groups (Continued)

Step 3

Limit which groups will be available in


policy rules.

1.

Required only if you want to limit policy


rules to specific groups. By default, if you
dont specify groups, all groups are
2.
available in policy rules.
Any custom groups you create will
also be available in the Allow List
of authentication profiles.

Add existing groups from the directory service:


a. Select the Group Include List tab.
b. In the Available Groups list, select the groups you want to
appear in policy rules and click the Add icon.
If you want to base policy rules on user attributes that dont
match existing user groups, create custom groups based on
LDAP filters:
a. Select the Custom Group tab and click Add.
b. Enter a group Name that is unique in the group mapping
configuration for the current firewall or virtual system. If the
Name has the same value as the Distinguished Name (DN)
of an existing AD group domain, the firewall uses the
custom group in all references to that name (for example, in
policies and logs).
c. Specify an LDAP Filter of up to 2,048 UTF-8 characters and
click OK. The firewall doesnt validate LDAP filters, so its up
to you to ensure they are accurate.
To minimize the performance impact on the LDAP
directory server, use only indexed attributes in the
filter.

3.

362 PAN-OS 7.0 Administrators Guide

Click OK and Commit. A commit is necessary before custom


groups will be available in policies and objects.

Palo Alto Networks

User-ID

Map IP Addresses to Users

Map IP Addresses to Users


The tasks you perform to map IP addresses to usernames depends on the type and location of the client systems
on your network. Complete as many of the following tasks as necessary to enable mapping of your client
systems:

To map users as they log in to your Exchange servers, domain controllers, or eDirectory servers, or
Windows clients that can be directly probed, you must configure a User-ID agent to monitor the server
logs and probe client systems. You can either Configure User Mapping Using the Windows User-ID Agent
(a standalone agent that you install on one or more member servers in the domain that contains the
servers and clients that the agent will monitor) or Configure User Mapping Using the PAN-OS Integrated
User-ID Agent. For guidance on which agent is appropriate for your network and the required number
and placements of agents, refer to Architecting User Identification Deployments.

If you have clients running multi-user systems in a Windows environment, such as Microsoft Terminal
Server or Citrix Metaframe Presentation Server or XenApp, Configure the Palo Alto Networks Terminal
Server Agent for User Mapping. For a multi-user system that doesnt run on Windows, you can Retrieve
User Mappings from a Terminal Server Using the User-ID XML API.

To obtain user mappings from existing network services that authenticate userssuch as wireless
controllers, 802.1x devices, Apple Open Directory servers, proxy servers, or other Network Access
Control (NAC) mechanismsConfigure User-ID to Receive User Mappings from a Syslog Sender. You
can use either the Windows agent or the agentless user mapping feature on the firewall to listen for
authentication syslog messages from the network services.

If you have users with client systems that arent logged into your domain serversfor example, users
running Linux clients that dont log in to the domainyou can Map IP Addresses to Usernames Using
Captive Portal.

For other clients that you cant map using the preceding methods, you can Send User Mappings to
User-ID Using the XML API.

Because policy is local to each firewall, each firewall needs current user mapping and group mapping
information to accurately enforce policy by user and group. However, if you want one firewall to function
as the sole, central collection and distribution point for user mappings, you can Configure a Firewall to
Share User Mapping Data with Other Firewalls.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 363

Map IP Addresses to Users

User-ID

Configure User Mapping Using the Windows User-ID Agent


In most cases, the majority of your network users will have logins to your monitored domain services. For these
users, the Palo Alto Networks User-ID agent monitors the servers for login events and performs the IP address
to username mapping. The way you configure the User-ID agent depends on the size of your environment and
the location of your domain servers. As a best practice, you should locate your User-ID agents near your
monitored servers (that is, the monitored servers and the Windows User-ID agent should not be across a WAN
link from each other). This is because most of the traffic for user mapping occurs between the agent and the
monitored server, with only a small amount of trafficthe delta of IP address mappings since the last update
from the agent to the firewall.
The following topics describe how to install and configure the User-ID Agent and how to configure the firewall
to retrieve user mapping information from the agent:

Install the User-ID Agent

Configure the User-ID Agent for User Mapping

Install the User-ID Agent


The following procedure shows how to install the User-ID agent on a member server in the domain and set up
the service account with the required permissions. If you are upgrading, the installer will automatically remove
the older version, however, it is a good idea to back up the config.xml file before running the installer.
For information about the system requirements for installing the Windows-based User-ID agent
and for information on the supported server OS versions are supported, refer to Operating
System (OS) Compatibility User-ID Agent in the User-ID Agent Release Notes, which are
available on the Palo Alto Networks Software Updates page.

Install the Windows User-ID Agent

Step 1

Decide where to install the User-ID


agent.

You must install the User-ID agent on a system running one of the
supported OS versions: see Operating System (OS)
Compatibility User-ID Agent in the User-ID Agent Release
Notes.

The User-ID agent queries the Domain


Controller and Exchange server logs
using Microsoft Remote Procedure Calls Make sure the system that will host the User-ID agent is a member
of the same domain as the servers it will monitor.
(MSRPCs), which require a complete
transfer of the entire log at each query.
As a best practice, install the User-ID agent close to the servers it
Therefore, always install one or more
will be monitoring (there is more traffic between the User-ID
User-ID agents at each site that has
agent and the monitored servers than there is between the
servers to be monitored.
User-ID agent and the firewall, so locating the agent close to the
monitored servers optimizes bandwidth usage).
For more detailed information on
where to install User-ID agents,
To ensure the most comprehensive mapping of users, you must
refer to Architecting User
monitor all servers that contain user login information. You might
Identification (User-ID)
need to install multiple User-ID agents to efficiently monitor all of
Deployments.
your resources.

364 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

User-ID

Map IP Addresses to Users

Install the Windows User-ID Agent (Continued)

Step 2

Download the User-ID agent installer.


As a best practice, install the User-ID
agent version that is the same as the
PAN-OS version running on the
firewalls.

Step 3

Run the installer as an administrator.

1.
2.
3.
4.
1.

2.

Log in to Palo Alto Networks Support site.


Select Software Updates from the Manage Devices section.
Scroll to the User Identification Agent section of the screen and
Download the version of the User-ID agent you want to install.
Save the UaInstall-x.x.x-xx.msi file on the system(s) where
you plan to install the agent.
To launch a command prompt as an administrator, click Start
and right-click Command Prompt and then select Run as
administrator.
From the command line, run the .msi file you downloaded. For
example, if you saved the .msi file to the Desktop you would
enter the following:
C:\Users\administrator.acme>cd Desktop
C:\Users\administrator.acme\Desktop>UaInstall-6.0.
0-1.msi

3.

4.

Follow the setup prompts to install the agent using the default
settings. By default, the agent gets installed to the C:\Program
Files (x86)\Palo Alto Networks\User-ID Agent folder,
but you can Browse to a different location.
When the installation completes, Close the setup window.
Click Start and select User-ID Agent.

Step 4

Launch the User-ID Agent application.

1.

Step 5

(Optional) Change the service account


that the User-ID agent uses to log in.

By default, the agent uses the administrator account used to install


the .msi file. However, you may want to switch this to a restricted
account as follows:
1. Select User Identification > Setup and click Edit.
2. Select the Authentication tab and enter the service account
name that you want the User-ID agent to use in the User name
for Active Directory field.
3. Enter the Password for the specified account.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 365

Map IP Addresses to Users

User-ID

Install the Windows User-ID Agent (Continued)

Step 6

(Optional) Assign account permissions to 1.


the installation folder.
You only need to perform this step if the
service account you configured for the
User-ID agent is not a member of the
administrators group for the domain or a
member of both the Server Operators
and the Event Log Readers groups.

Give the service account permissions to the installation folder:


a. From the Windows Explorer, navigate to C:\Program
Files\Palo Alto Networks and right-click the folder and
select Properties.
b. On the Security tab, Add the User-ID agent service account
and assign it permissions to Modify, Read & execute, List
folder contents, and Read and then click OK to save the
account settings.

2.

Give the service account permissions to the User-ID Agent


registry sub-tree:
a. Run regedit32 and navigate to the Palo Alto Networks
sub-tree in one of the following locations:
32-bit systemsHKEY_LOCAL_MACHINE\Software\
Palo Alto Networks

64-bit systemsHKEY_LOCAL_MACHINE\Software\
WOW6432Node\Palo Alto Networks

b. Right-click the Palo Alto Networks node and select


Permissions.
c. Assign the User-ID service account Full Control and then
click OK to save the setting.
3.

On the domain controller, add the service account to the builtin


groups to enable privileges to read the security log events
(Event Log Reader group) and open sessions (Server Operator
group):
a. Run the MMC and Launch the Active Directory Users and
Computers snap-in.
b. Navigate to the Builtin folder for the domain and then
right-click each group you need to edit (Event Log Reader
and Server Operator) and select Add to Group to open the
properties dialog.
c. Click Add and enter the name of the service account that you
configured the User-ID service to use and then click Check
Names to validate that you have the proper object name.
d. Click OK twice to save the settings.

Configure the User-ID Agent for User Mapping


The Palo Alto Networks User-ID agent is a Windows service that connects to servers on your networkfor
example, Active Directory servers, Microsoft Exchange servers, and Novell eDirectory serversand monitors
the logs for login events. The agent uses this information to map IP addresses to usernames. Palo Alto Networks
firewalls connect to the User-ID agent to retrieve this user mapping information, enabling visibility into user
activity by username rather than IP address and enables user- and group-based security enforcement.

366 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

User-ID

Map IP Addresses to Users

For information about the server OS versions supported by the User-ID agent, refer to Operating
System (OS) Compatibility User-ID Agent in the User-ID Agent Release Notes, which are
available on the Palo Alto Networks Software Updates page.

Map IP Addresses to Users Using the User-ID Agent

Step 1

Launch the User-ID Agent application.

1.

Select User-ID Agent from the Windows Start menu.

Step 2

Define the servers the User-ID agent


should monitor to collect IP address to
user mapping information.

1.
2.
3.

Select User Identification > Discovery.


In the Servers section of the screen, click Add.
Enter a Name and Server Address for the server to be
monitored. The network address can be a FQDN or an IP
address.
Select the Server Type (Microsoft Active Directory, Microsoft
Exchange, Novell eDirectory, or Syslog Sender) and then
click OK to save the server entry. Repeat this step for each
server to be monitored.
(Optional) To enable the firewall to automatically discover
domain controllers on your network using DNS lookups, click
Auto Discover.
The auto-discovery locates domain controllers in the
local domain only; you must manually add Exchange
servers, eDirectory servers, and syslog senders.
(Optional) To tune the frequency at which the firewall polls
configured servers for mapping information, select User
Identification > Setup and Edit the Setup section. On the
Server Monitor tab, modify the value in the Server Log
Monitor Frequency (seconds) field. As a best practice, you
should increase the value in this field to 5 seconds in
environments with older Domain Controllers or high-latency
links. Click OK to save the changes.

The User-ID agent can monitor up to 100


servers and listen for syslog messages
from up to 100 syslog senders.
4.
Keep in mind that in order to collect all of
the required mappings, you must connect
to all servers that your users log in to in
order to monitor the security log files on 5.
all servers that contain login events.

6.

Palo Alto Networks

PAN-OS 7.0 Administrators Guide 367

Map IP Addresses to Users

User-ID

Map IP Addresses to Users Using the User-ID Agent (Continued)

Step 3

(Optional) If you configured the agent to 1.


connect to a Novell eDirectory server,
you must specify how the agent should
2.
search the directory.

Select User Identification > Setup and click Edit in the Setup
section of the window.
Select the eDirectory tab and then complete the following
fields:
Search BaseThe starting point or root context for agent
queries, for example: dc=domain1, dc=example, dc=com.
Bind Distinguished NameThe account to use to bind to
the directory, for example: cn=admin, ou=IT,
dc=domain1, dc=example, dc=com.
Bind PasswordThe bind account password. The agent
saves the encrypted password in the configuration file.
Search FilterThe search query for user entries (default is
objectClass=Person).
Server Domain PrefixA prefix to uniquely identify the
user. This is only required if there are overlapping name
spaces, such as different users with the same name from two
different directories.
Use SSLSelect the check box to use SSL for eDirectory
binding.
Verify Server CertificateSelect the check box to verify
the eDirectory server certificate when using SSL.

Step 4

(Optional) Enable client probing.

1.

Client probing is useful in environments


where IP addresses are not tightly bound 2.
to users because it ensures that previously
mapped addresses are still valid. However,
as the total number of learned IP
addresses grows, so does the amount of
traffic generated. As a best practice, only
enable probing on network segments
where IP address turnover is high.

On the Client Probing tab, select the Enable WMI Probing


check box and/or the Enable NetBIOS Probing check box.
Make sure the Windows firewall will allow client probing by
adding a remote administration exception to the Windows
firewall for each probed client.
For NetBIOS probing to work effectively, each probed
client PC must allow port 139 in the Windows firewall
and must also have file and printer sharing services
enabled. WMI probing is always preferred over
NetBIOS whenever possible.

For more details on the placement of


User-ID agents using client probing, refer
to Architecting User Identification
(User-ID) Deployments.
Step 5

Save the configuration.

368 PAN-OS 7.0 Administrators Guide

Click OK to save the User-ID agent setup settings and then click
Commit to restart the User-ID agent and load the new settings.

Palo Alto Networks

User-ID

Map IP Addresses to Users

Map IP Addresses to Users Using the User-ID Agent (Continued)

Step 6

(Optional) Define the set of users for


which you do not need to provide IP
address-to-user name mappings, such as
service accounts or kiosk accounts.
You can also use the ignore-user
list to identify users whom you
want to force to authenticate using
Captive Portal.

Create an ignore_user_list.txt file and save it to the User-ID


Agent folder on the domain server where the agent is installed.
List the user accounts to ignore; there is no limit to the number of
accounts you can add to the list. Each user account name must be
on a separate line. For example:
SPAdmin
SPInstall
TFSReport

Step 7

Configure the firewalls to connect to the Complete the following steps on each firewall you want to connect
User-ID agent.
to the User-ID agent to receive user mappings:
1. Select Device > User Identification > User-ID Agents and click
Add.
2. Enter a Name for the User-ID agent.
3. Enter the IP address of the Windows Host on which the
User-ID Agent is installed.
4. Enter the Port number (1-65535) on which the agent will listen
for user mapping requests. This value must match the value
configured on the User-ID agent. By default, the port is set to
5007 on the firewall and on newer versions of the User-ID
agent. However, some older User-ID agent versions use port
2010 as the default.
5. Make sure that the configuration is Enabled, then click OK.
6. Commit the changes.
7. Verify that the Connected status displays as connected (a green
light).

Step 8

Verify that the User-ID agent is


successfully mapping IP addresses to
usernames and that the firewalls can
connect to the agent.

1.
2.
3.
4.

5.

Palo Alto Networks

Launch the User-ID agent and select User Identification.


Verify that the agent status shows Agent is running. If the
Agent is not running, click Start.
To verify that the User-ID agent can connect to monitored
servers, make sure the Status for each Server is Connected.
To verify that the firewalls can connect to the User-ID agent,
make sure the Status for each of the Connected Devices is
Connected.
To verify that the User-ID agent is mapping IP addresses to
usernames, select Monitoring and make sure that the mapping
table is populated. You can also Search for specific users, or
Delete user mappings from the list.

PAN-OS 7.0 Administrators Guide 369

Map IP Addresses to Users

User-ID

Configure User Mapping Using the PAN-OS Integrated User-ID Agent


The following procedure shows how to configure the PAN-OS integrated agent on the firewall for user
mapping. The integrated User-ID agent performs the same tasks as the Windows-based agent with the
exception of NetBIOS client probing (WMI probing is supported).
Map IP Addresses to Users Using the Integrated User-ID Agent

Step 1

Create an Active Directory (AD) account Windows 2008 or later domain serversAdd the account to
for the User-ID agent.
the Event Log Readers group. If you are using the on-device
User-ID agent, the account must also be a member of the
The account must have the privilege levels
Distributed COM Users Group.
required to log in to each service or host
Windows 2003 domain serversAssign Manage Auditing and
that the User-ID agent will monitor to
Security Logs permissions through group policy.
collect user mapping data.
WMI probingMake sure the account has rights to read the
CIMV2 namespace; by default, Domain Administrator and Server
Operator accounts have this permission.
NTLM authenticationBecause the firewall must join the
domain if you are using Captive Portal NTLM authentication with
an on-device User-ID agent, the Windows account you create for
NTLM access must have administrative privileges. Note that due
to AD restrictions on virtual systems running on the same host, if
the firewall has multiple virtual systems, only vsys1 will be able to
join the domain.

370 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

User-ID

Map IP Addresses to Users

Map IP Addresses to Users Using the Integrated User-ID Agent (Continued)

Step 2

Define the servers the firewall should


monitor to collect IP address-to-user
mapping information. You can define
entries for up to 100 Microsoft Active
Directory, Microsoft Exchange, or Novell
eDirectory servers on your network.

1.
2.
3.

4.
5.
Note that to collect all the required
mappings, the firewall must connect to all 6.
servers that your users log in to so it can
monitor the security log files on all servers
that contain login events.

7.

Select Device > User Identification > User Mapping.


In the Server Monitoring section of the screen, click Add.
Enter a Name and Network Address for the server. The
network address can be a FQDN or an IP address.
Select the Type of server.
Make sure the Enabled check box is selected and then click OK
(Optional) To enable the firewall to automatically discover
domain controllers on your network using DNS lookups, click
Discover.

The auto-discovery feature is for domain controllers


only; you must manually add any Exchange servers or
eDirectory servers you want to monitor.
(Optional) Specify the frequency at which the firewall polls
Windows servers for mapping information. This is the interval
between the end of the last query and the start of the next
query.
If the query load is high, the observed delay between
queries might significantly exceed the specified
frequency.
a. In the Palo Alto Networks User ID Agent Setup section,
click the Edit icon.
b. Select the Server Monitor tab and specify the Server Log
Monitor Frequency in seconds (default is 2, range is 1-3600).
As a best practice, increase the value in this field to 5
seconds in environments with older domain
controllers or high-latency links.
c. Click OK to save the changes.

Step 3

Set the domain credentials for the account 1.


the firewall will use to access Windows
resources. This is required for monitoring 2.
Exchange servers and domain controllers
as well as for WMI probing.

Palo Alto Networks

Edit the Palo Alto Networks User ID Agent Setup section of


the screen.
On the WMI Authentication tab, enter the User Name and
Password for the account that will be used to probe the clients
and monitor servers. Enter the user name using the
domain\username syntax.

PAN-OS 7.0 Administrators Guide 371

Map IP Addresses to Users

User-ID

Map IP Addresses to Users Using the Integrated User-ID Agent (Continued)

Step 4

(Optional) Enable WMI probing.

1.

The on-device agent does not


2.
support NetBIOS probing; it is
supported on the Windows-based
User-ID agent only.

3.

On the Client Probing tab, select the Enable Probing check


box.
(Optional) If necessary, modify the Probe Interval (in minutes)
to ensure it is long enough for the User-ID agent to probe all
the learned IP addresses (default is 20, range is 1-1440). This is
the interval between the end of the last probe request and the
start of the next request.
If the request load is high, the observed delay between
requests might significantly exceed the specified
interval.
Make sure the Windows firewall will allow client probing by
adding a remote administration exception to the Windows
firewall for each probed client.

Step 5

Save the configuration.

1.
2.

Click OK to save the User-ID agent setup settings.


Click Commit to save the configuration.

Step 6

(Optional) Define the set of users for


which you do not need to provide IP
address-to-user name mappings, such as
service accounts or kiosk accounts.

1.
2.

Open a CLI session to the firewall.


To add the list of user accounts for which you do not want the
firewall to perform mapping, run the following command:
set user-id-collector ignore-user <value>
where <value> is a list of the user accounts to ignore; there is
no limit to the number of accounts you can add to the list.
Separate entries with a space and do not include the domain
name with the username. For example:

You can also use the ignore-user


list to identify users whom you
want to force to authenticate using
Captive Portal.

set user-id-collector ignore-user SPAdmin SPInstall


TFSReport

Step 7

Verify the configuration.

3.

Commit your changes.

1.

From the CLI, enter the following command:


show user server-monitor state all

2.

372 PAN-OS 7.0 Administrators Guide

On the Device > User Identification > User Mapping tab in the
web interface, verify that the Status of each server you
configured for server monitoring is Connected.

Palo Alto Networks

User-ID

Map IP Addresses to Users

Configure User-ID to Receive User Mappings from a Syslog Sender


The following topics describe how to configure the User-ID agent (either the Windows agent or the integrated
agent on the firewall) as a Syslog listener:

Configure the Integrated User-ID Agent as a Syslog Listener

Configure the Windows User-ID Agent as a Syslog Listener

Configure the Integrated User-ID Agent as a Syslog Listener


The following workflow describes how to configure the PAN-OS integrated User-ID agent to receive syslog
messages from authenticating services.
The PAN-OS integrated User-ID agent accepts syslogs over SSL and UDP only. However, you
must use caution when using UDP to receive syslog messages because it is an unreliable
protocol and as such there is no way to verify that a message was sent from a trusted syslog
server. Although you can restrict syslog messages to specific source IP addresses, an attacker
can still spoof the IP address, potentially allowing the injection of unauthorized syslog messages
into the firewall. As a best practice, always use SSL to listen for syslog messages. However, if
you must use UDP, make sure that the syslog server and client are both on a dedicated, secure
VLAN to prevent untrusted hosts from sending UDP traffic to the firewall.

Collect User Mappings from Syslog Senders

Step 1

Determine whether there is a pre-defined 1.


syslog filter for your particular syslog
sender(s).

Verify that your Application or Application and Threat database


is up to date:
a. Select Device > Dynamic Updates.

Palo Alto Networks provides several


pre-defined syslog filters, which are
delivered as Application content updates
and are therefore updated dynamically as
new filters are developed. The
2.
pre-defined filters are global to the
firewall, whereas manually-defined filters
apply to a single virtual system only.

b. Click Check Now (located in the lower left-hand corner of


the window) to check for the latest updates.

Any new syslog filters in a given


content release will be
documented in the corresponding
release note along with the
specific regex used to define the
filter.

Palo Alto Networks

c. If a new update is available, Download and Install it.


Check to see what pre-defined filters are available:
a. Select Device > User Identification > User Mapping.
b. In the Server Monitoring section of the screen, click Add.
c. Select Syslog Sender as the server Type.
d. Select the Filter drop-down and check to see if there is a
filter for the manufacturer and product you plan to forward
syslogs from. If the filter you need is available, skip to Step 5
for instructions on defining the servers. If the filter you need
is not available, continue to Step 2.

PAN-OS 7.0 Administrators Guide 373

Map IP Addresses to Users

User-ID

Collect User Mappings from Syslog Senders (Continued)

Step 2

Manually define syslog filter(s) for


extracting the User-ID IP address to
username mapping information from
syslog messages.
In order to be parsed by the User-ID
agent, syslog messages must meet the
following criteria:
Each syslog message must be a
single-line text string. Line breaks are
delimited by a carriage return and a
new line (\r\n) or a new line (\n).
The maximum allowed size of an
individual syslog message is 2048
bytes.
Syslog messages sent over UDP must
be contained in a single packet;
messages sent over SSL can span
multiple packets.
A single packet may contain multiple
syslog messages.

1.

2.
3.
4.
5.

Review the syslogs generated by the authenticating service to


identify the syntax of the login events. This enables you to
create the matching patterns that will allow the firewall to
identify and extract the authentication events from the syslogs.
While reviewing the syslogs, also determine whether the
domain name is included in the log entries. If the
authentication logs do not contain domain information,
consider defining a default domain name when adding
the syslog sender to the monitored servers list in Step 5.
Select Device > User Identification > User Mapping and edit
the Palo Alto Networks User-ID Agent Setup section.
On the Syslog Filters tab, Add a new syslog parse profile.
Enter a name for the Syslog Parse Profile.
Specify the Type of parsing to use to filter out the user mapping
information by selecting one of the following options:
Regex IdentifierWith this type of parsing, you specify
regular expressions to describe search patterns for
identifying and extracting user mapping information from
syslog messages. Continue to Step 3 for instructions on
creating the regex identifiers.
Field IdentifierWith this type of parsing, you specify a
string to match the authentication event, and prefix and
suffix strings to identify the user mapping information in the
syslogs. Continue to Step 4 for instructions on creating the
field identifiers.

374 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

User-ID

Map IP Addresses to Users

Collect User Mappings from Syslog Senders (Continued)

Step 3

If you selected Regex Identifier as the


1.
parsing Type, create the regex matching
patterns for identifying the authentication
events and extracting the user mapping
information.
The example below shows a regex
configuration for matching syslog
messages with the following format:

[Tue Jul 5 13:15:04 2005 CDT] Administrator


authentication success User:johndoe1
Source:192.168.3.212

2.

3.
If the syslog contains a standalone
space and/or tab as a delimiter,
you must use an \s (for a space)
and/or \t (for a tab) in order for
the agent to parse the syslog.
4.

Palo Alto Networks

Specify how to match successful authentication events in the


syslogs by entering a matching pattern in the Event Regex field.
For example, when matched against the example syslog
message, the following regex instructs the firewall to extract the
first {1} instance of the string authentication success. The
backslash before the space is a standard regex escape character
that instructs the regex engine not to treat the space as a special
character: (authentication\ success){1}.
Enter the regex for identifying the beginning of the username
in the authentication success messages in the Username Regex
field. For example, the regex User:([a-zA-Z0-9\\\._]+)
would match the string User:johndoe1 in the example message
and extract acme\johndoe1 as the User-ID.
If the syslogs do not contain domain information and
you require domain names in your user mappings, be
sure to enter the Default Domain Name when defining
the monitored server entry in Step 5.
Enter the regex for identifying the IP address portion of the
authentication success messages in the Address Regex field.
For example, the following regular expression Source:([0-9]
{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) would
match an IPv4 address (Source:192.168.0.212 in the
example syslog).
Click OK.

PAN-OS 7.0 Administrators Guide 375

Map IP Addresses to Users

User-ID

Collect User Mappings from Syslog Senders (Continued)

Step 4

If you selected Field Identifier as the


1.
parsing Type, define the string matching
patterns for identifying the authentication
events and extracting the user mapping
information.
2.
The example below shows a field
identifier configuration for matching
syslog messages with the following
format:
3.
Jul 5 13:15:04 2005 CDT] Administrator

[Tue
authentication success User:johndoe1
Source:192.168.3.212

4.

5.
If the syslog contains a standalone
space and/or tab as a delimiter,
you must use an \s (for a space)
and/or \t (for a tab) in order for 6.
the agent to parse the syslog.
Step 5

Define the servers that will send syslog 1.


messages to the firewall for user mapping 2.
purposes.
3.
You can define up to 50 syslog senders 4.
per virtual system and up to a total of 100
5.
monitored servers, including syslog
6.
senders, Microsoft Active Directory,
Microsoft Exchange, or Novell
eDirectory servers. The firewall will
discard any syslog messages received
7.
from servers that are not on this list.

Specify how to match successful authentication events in the


syslogs by entering a matching pattern in the Event String field.
For example, when matched against the sample syslog message,
you would enter the string authentication success to
identify authentication events in the syslog.
Enter the matching string for identifying the beginning of the
username field within the authentication syslog message in the
Username Prefix field. For example, the string User: identifies
the beginning of the username field in the sample syslog.
Enter the Username Delimiter to mark the end of the
username field within an authentication syslog message. For
example, if the username is followed by a space, you would
enter \s to indicate that the username field is delimited by a
standalone space in the sample log.
Enter the matching string for identifying the beginning of the
IP address field within the authentication event log in the
Address Prefix field. For example, the string Source: identifies
the beginning of the address field in the example log.
Enter the Address Delimiter to mark the end of the IP address
field within the authentication success message within the field.
For example, if the address is followed by a line break, you
would enter \n to indicate that the address field is delimited by
a new line.
Click OK.
Select Device > User Identification > User Mapping.
In the Server Monitoring section of the screen, click Add.
Enter a Name and Network Address for the server.
Select Syslog Sender as the server Type.
Make sure the Enabled check box is selected.
(Optional) If the syslogs that the authenticating device sends do
not include domain information in the login event logs, enter
the Default Domain Name to append to the user mappings.
Click OK to save the settings.

A Syslog sender using SSL to


connect will only show a Status of
Connected when there is an active
SSL connection. Syslog senders
using UDP will not show a Status
value.

376 PAN-OS 7.0 Administrators Guide

Palo Alto Networks

User-ID

Map IP Addresses to Users

Collect User Mappings from Syslog Senders (Continued)

Step 6

Enable syslog listener services in the


management profile associated with the
interface used for user mapping.

1.

Use caution when using UDP to 2.


receive syslog messages because it
is an unreliable protocol and as
such there is no way to verify that
a message was sent from a trusted
syslog server. Although you can
restrict syslog mes